FranceConnect authentication and registration in ForgeRock AM 5

Author:

Sheila Albertelli

Created at:

May 2017

Updated at:

Dec 2022

Written by Léonard Moustacchis

image

FranceConnect is the French national Identity Provider (IDP). This IDP acts as a hub that is connected to third party IDPs: La Poste (Mail service), Ameli (Health agency) , impots.gouv.fr (Tax service). National IDP is not a new concept in Europe where the eIDAS regulation applied for years, for example Fedict in Belgium or gov.uk in UK. Whereas the National IDPs are mostly SAML based (some of them uses the Stork profile) the FranceConnect service is OpenID Connect based.

ForgeRock is a FranceConnect partner.

This article explains the FranceConnect implementation in ForgeRock Access Manager 5.0

First creates an account on FranceConnect here Pas encore inscrit ? Je crée mon compte pour utiliser le service FranceConnect, it takes few minutes.

The only information needed is the callback URL, for example: http://openam.example.com/openam/oauth2c/OAuthProxy.jsp

The clientID « key » and the client secret « secret » will be sent by email.

Then the configuration is done in the admin console of the ForgeRock AM.

Go to Authentication>Modules and create a new OAuth 2.0 / OpenID Connect authentication module.

https://backstage-community-prod.storage.googleapis.com/original/2X/b/b34e2b2faccd9e33a5b6d4c19745d0dc9cc89798

This configuration maps the user using the email attribute, automatically creates the user in the datastore (optional).

The following attributes have been mapped: given_name=givenname family_name=sn email=mail. The full FranceConnect attribute list is here: Accédez simplement à vos services publics en ligne avec FranceConnect

Go to Authentication>Chains and create a new authentication chain FranceConnectNationalAuthenticationService which contains the FranceConnect authentication module as required.

https://backstage-community-prod.storage.googleapis.com/original/2X/f/f3350f773cd32c26828c10277839b6fab74dbefe

In order to activate the FranceConnect button add it in Services>Social Authentication Implementations.

https://backstage-community-prod.storage.googleapis.com/original/2X/b/bff9376afae6e65e2a09ca35fe0c6e9b7b46fdd7

Lets try!

Go to the login page.

https://backstage-community-prod.storage.googleapis.com/original/2X/0/0395210577a6f4fc717b22bea32f685773b87e77

Choose « s’identifier avec FranceConnect »

Example account are provided for major IDP.

Choose the Ameli.fr IDP; example account is login : 18712345678912345 and password :123

The account is stored in the AM datastore.

You are now logged in with Mr Eric Mercier!

https://backstage-community-prod.storage.googleapis.com/original/2X/8/85a4f8f0ef2f3d383915d52ed03061e67d1dedbe