Proof of Concept

Architecture
, , , , , , , , ,
#1

This article is an overview of a proof of concept (PoC) we recently completed with one of our partners. The purpose was to demonstrate the ability to use the ForgeRock Identity platform to quickly provide rich authentication (such as biometric authentication by face recognition), and authorization capabilities to a custom mobile application written from scratch.

Indeed, it took about two weeks to develop and integrate the mobile application with the ForgeRock Identity platform, thanks to the externalization of both the registration and the authentication code, and logic out the mobile application itself. The developers had to mostly use the ForgeRock REST API’s to implement these features.

Some important facts:

  • While the authentication leveraged the ForgeRock REST API and authentication trees, the device registration was implemented using a mobile SDK provided by the biometric vendor. Another option could have been to use an existing ForgeRock authentication tree node for the registration, but it would have required the use of a browser. The ideal goal was to provide all the features using a single, custom mobile application for a better user experience.

  • It was decided to use Daon as the biometric authentication solution provider/vendor, even though the ForgeRock Identity platform can be integrated with other authentication solutions. The ForgeRock marketplace is a good place to figure out what’s available for whatever type of authentication you’re looking for.

  • Depending on the solution, we may or may not provide a node for user or device registration. When not available, it can be either developed, or the vendor will provide an SDK to implement registration directly with them.

  • Daon provides two different ways to manage user credentials; they can be left on the user’s device, leveraging the FIDO protocol, or they can be stored in a specific tenant on the Daon’s Identity X server. For that PoC, we chose to use the FIDO protocol, because we wanted to provide the best user experience. So, for example, with as little network latency as possible, and checking a face locally on a mobile device looked faster than having to send it (or a hash of it or so) to a server for verification.

The functional objectives of that PoC were to provide:

  • A way for the mobile application to dynamically discover the available authentication methods, rather than hardcoding or defining in the application configuration the list of methods. We did that using an authentication tree which included three authentication methods, and the ForgeRock Access Management REST API and callbacks to discover the available choices.

  • A way to provide different authentication choices based on some criteria, such as the domain of the user’s email address and the status of that user (already registered in the authentication platform or not).

  • The ability to deliver OTPs by either SMS or email, based on the user’s profile. A user profile including a mobile phone number had to trigger the OTP delivery by SMS, and by email without a filled mobile phone number.

  • Biometric authentication by face recognition, embedded in the custom mobile application, thus providing the best possible user experience, without the need to rely on an extra browser session or additional device.

  • Biometric-enabled device registration: Not only was the face recognition was at authentication time, it was also used for the device registration.

  • OAUTH 2 access tokens delivery, introspection, and usage to gain access to business APIs.

  • Protection of the APIs by authorization rules and the ForgeRock authorization engine.

The PoC logical architecture was as follows:

image
image994×574 95.6 KB

The authentication trees looked like this, with the first couple of screenshots showing the main tree, and the third screenshot showing the biometric authentication tree, embedded in the main tree:

In the main tree, we used a few custom JavaScript scripted nodes to implement the desired logic; for example, to expose different authentication choices based on the user’s email address domain:

Below, you can see the registration flow diagram:

  • The relying party app is the custom mobile application developed during the PoC.

  • The FIDO client in our case was the Daon’s mobile SDK running in the mobile app. That SDK is especially responsible for triggering the camera to take a picture of the user’s face.

  • The relying party server is ForgeRock Access Management.

  • The FIDO server is Daon’s Identity X server:

The depicted registration flow above is actually the one that occurs when using a browser and the ForgeRock registration node for Daon. When using a custom mobile app and the Daon mobile SDK, the registration request and responses go directly from the mobile application to the Daon’s Identity X server, so without going through ForgeRock Access Management.

On the contrary, the authentication flow always goes through ForgeRock Access Management, leveraging the nodes developed for that purpose:

Feel free to ask for questions for more details!