Use case: Allow end users to manage trusted devices in ForgeRock Identity Cloud

Use case overview

Allowing end users to manage their own trusted devices, such as mobile devices and laptops, is a common use case that is easily implemented in ForgeRock Identity Cloud.

User journeys can be configured with device nodes to facilitate the registration of devices to the user’s account. The user can then manage their trusted devices (allow or revoke) in the End User UI.

Steps to achieve this use case

To create a simple trusted device registration journey:

  1. Sign in to the Identity Cloud admin UI using your admin tenant URL, in the format https://<tenant-name>/am/XUI/?realm=/#/.

  2. Go to Journeys > New Journey.

  3. Enter a unique name for the trusted device registration journey, select which identities will authenticate using this journey, (optionally) enter a journey description, and click Save.

  4. Create a journey similar to this, keeping the default node configurations as they are:

    Node descriptions:

    • Platform Username - Prompts the user to enter their username. See Platform Username node for further information.

    • Device Profile Collector - Gathers metadata about the device used to authenticate. See Device Profile Collector node for further information.

    • Device Match - Compares any collected device metadata with that stored in the user’s profile. See Device Match node for further information.

    • Message Node - Presents a custom, localized message to the user. See Message node for further information.

    • Platform Password - Collects the user’s password if no device has been registered. See Platform Password node for more information.

    • Device Profile Save - Persists collected device data to a user’s profile in the identity store. Use the Maximum Saved Profiles property to configure the maximum number of device profiles to persist per user. The default is 5. See Device Profile Save node for further information.

    • Increment Login Count - Increments the successful login count property of a managed object. See Increment Login Count node for further information.

  5. Click on the Message Node and add the message that will prompt the user to register their device. For example, “Do you want to register a new trusted device?”.

  6. Click Done and then Save.

  7. Click Save to save the journey.

Testing the use case

This use case demonstrates how to register a trusted device on a test end user’s profile, rename the trusted device, and remove a trusted device from the user’s profile.

Register a trusted device

  1. In the Identity Cloud admin UI, go to Journeys.

  2. Click the trusted device journey you created previously and copy the Preview URL.

    Copy Preview URL

  3. Paste the preview URL into a browser using Incognito or Browsing mode.

  4. Enter the test user’s username in the Sign In screen and click Next.

  5. Click Yes to register the new trusted device.

    Register device?

  6. Enter the test user’s password and click Next.

    Once the test user’s identity has been verified and the authenticating device has been associated with their account you are successfully logged in.

  7. Click Edit Your Profile.

    Trusted devices are shown in the Trusted Devices section. Click on the trusted device to display its details. For example:

  8. Click Edit to edit the device name and click Save. For example:

    Trusted device example

  9. Repeat steps 1 through 6 on a different device (for example a mobile phone) to register a second device.

Remove a trusted device from the end user’s profile

  1. Log into Identity Cloud as the same test end user.

  2. Click Edit Your Profile.

    Trusted devices are shown in the Trusted Devices section.

  3. Click on the device you want to remove (this can’t be the current device) and click Remove Device.

  4. Click Remove Device.

    Remove device

    The device is no longer a trusted device on the user’s profile.

Conclusion

This use case has demonstrated how to design a simple user journey, using out-of-the-box nodes in Identity Cloud, to enable end users to easily register and manage their own trusted devices.

Additional resources

Documentation:

Training videos:

1 Like

@lucy.billington :- Where does the profile data gets stores in ForgeRock Cloud Product, i can see in the UI but not able to see against the identities

Hi @akash.shah,

The user profile is stored in AM’s user store, which is shared between IDM and AM (note that the directory server is private, not accessible from the outside). Not all properties are visible from the IDM side, and not all properties are visible from the AM side either. Those that are shared are described here: User identity attributes and properties reference :: ForgeRock Identity Cloud Docs. As such device information is not visible from the IDM side. This KB shows how to access the device profile from AM: Knowledge - ForgeRock BackStage.

Regards
Patrick

2 Likes