Use case: Configure identity verification of new users in ForgeRock Identity Cloud

Setup
, , , , , ,
#1

Use case overview

Enabling organizations to verify end users through identity proofing is a common use case that is easily implemented in ForgeRock Identity Cloud. Adding an identity verification step to your user journeys creates a high level of assurance by bringing physical identities, such as official identification documents and biometrics, to the digital world.

Identity Cloud integrates with several third-party identity verification services out of the box. Examples include Onfido, BioCatch and Jumio.

For this use case, we’ll demonstrate how to include an Onfido identity check in a user registration journey. An Onfido check can include the user’s official identification documents such as a passport or driver’s license and optionally collect biometrics.

Steps to achieve this use case

In this simple use case, we’ll create a registration journey that registers a new user to Identity Cloud, including an identity check. The journey collects the user’s username and email address, and then checks an official identification document with Onfido and uses the response to provision their account.

Prerequisites

You will need a Live API token, which is available from the Tokens pane of the Onfido dashboard.

Create an Onfido registration journey

  1. Sign in to the Identity Cloud admin UI using your admin tenant URL, in the format https://<tenant-name>/am/XUI/?realm=/#/.

  2. Go to Journeys > New Journey.

  3. Enter a unique name for the Onfido journey, select which identities will authenticate using this journey, (optionally) enter a journey description, and click Save.

  4. Create a journey similar to this:

    uc_onfido_registration_journey
    uc_onfido_registration_journey2368×978 218 KB

    Node descriptions:

    • Platform Username - Prompts the user to enter their username. See Platform Username node for further information.

    • Attribute Collector - Collects the values of attributes that will be used to populate the new account in Identity Cloud. See Attribute Collector node for further information.

    • Onfido Registration - Registers a user with Onfido using identity verification, and optionally collecting biometrics. See Onfido Registration node for further information.

    • Onfido Check - Integrates an Onfido check for identity verification, matching a user with their official identification documents. See Onfido Check node for further information.

    • Polling Wait - Pauses authentication progress for a specified number of seconds, to wait for a response from the Onfido check. See Polling Wait node for further information.

    • Platform Password - Collects the user’s password once the verification step has been completed. See Platform Password node for further information.

    • Create Object - Creates a new user account in Identity Cloud based on information collected during registration. The Identity Resource must match the user object, for example, managed/alpha_user (the default is managed/user). See Create Object node for further information.

  5. Click the Attribute Collector node and add the Attributes to Collect and the corresponding Identity Attribute. This is the attribute that will be used to identify the user object in Identity Cloud.

    In our example we’re collecting the user’s email:

    uc_attribute_collector_node_mail
    uc_attribute_collector_node_mail634×1026 73.9 KB

  6. Click the Onfido Registration node and configure the following:

    • Onfido Live Token - Paste in the Onfido Live API token from the Onfido dashboard.

    • Just-in-Time Provisioning - Select this check box. When selected, the account will be provisioned In Identity Cloud, after checking the user’s identification documentation with Onfido.

    • Onfido ApplicantID Attribute - Make sure the value matches a managed user attribute for the selected realm that will be used by the Onfido Registration node. (To configure the managed object properties for the alpha realm, go to Native Consoles > Identity Management > Configure > Managed Objects > Alpha_user). The default is title.

    uc_onfido_registration_node1
    uc_onfido_registration_node1626×1520 116 KB

  7. Click the Onfido Check node and paste in the Onfido Live API token from the Onfido dashboard.

    uc_onfido_check_node
    uc_onfido_check_node626×990 71.1 KB

    The Onfido Check node outcomes for this journey are:

    • Clear - the document is valid and the user can complete the registration.

    • Consider - Onfido rejected one or more documents or images, so this is treated as a failed verification. Note that you could consider linking this outcome to an additional authentication step in your journey for stronger step-up authentication.

    • Deny - the check has failed and the user is denied access.

    • Pending - the authentication has paused to allow time for Onfido to begin processing before the Onfido Check node is called to retrieve the status of the checks. You can adjust this time in the Polling Wait node. The default is 8 seconds.

  8. Click Save to save the journey.

Testing the use case

To test this use case, make sure that your test end user doesn’t already have an account in Identity Cloud.

You will need the following:

  • An official identification document. In our example, we’ll use a driver’s licence.
  • A mobile phone.

Provision a new user account with Onfido

  1. In the Identity Cloud admin UI, go to Journeys.

  2. Click the Onfido journey you created previously and copy the Preview URL.

    uc_preview_url

  3. Paste the preview URL into a browser using Incognito or Browsing mode.

  4. Enter the test user’s username in the Sign In screen and click Next.

    uc_onfido_username
    uc_onfido_username954×548 25.4 KB

  5. Enter the test user’s email address and click Next.

    uc_onfido_email
    uc_onfido_email954×550 31.4 KB

  6. Click Verify Identity.

    uc_onfido_identity_verification
    uc_onfido_identity_verification1016×1186 65.4 KB

  7. Click on the document type to use for verification. In our example, we’re using a Driver’s Licence.

    uc_onfido_choose_document_type
    uc_onfido_choose_document_type1012×1188 99.6 KB

  8. Select the issuing country for the driver’s licence and click Submit document.

    uc_onfido_select_issuing_country
    uc_onfido_select_issuing_country1010×1182 66.8 KB

  9. Click Continue on phone.

    uc_onfido_submit_licence
    uc_onfido_submit_licence998×1170 75.8 KB

  10. Click Get secure link.

    uc_onfido_continue_on_phone
    uc_onfido_continue_on_phone1012×1182 90.4 KB

  11. Scan the QR code with your phone and go to the Onfido site.

    uc_onfido_get_secure_link
    uc_onfido_get_secure_link766×896 98.2 KB

  12. Follow the instructions on your phone to confirm the readability of each side of the document. For example:

    uc_onfido_check_your_image
    uc_onfido_check_your_image1064×1755 335 KB

    Once the uploads of the back and front of the document are complete, return to your computer to complete the registration.

  13. Click Submit verification.

    uc_onfido_submit_verification
    uc_onfido_submit_verification1002×1186 72.2 KB

  14. Once the document has been verified, enter a password for the test user and click Next.

    uc_onfido_password
    uc_onfido_password960×546 25.7 KB

    If the registration is successful, you are successfully logged in as the test end user. The user’s account is created in Identity Cloud.

uc_asmith_login_screen
uc_asmith_login_screen2866×1284 118 KB

Notice that in the user’s profile (Edit Your Profile > Edit Personal Info), the field that is used to collect the Onfido ApplicantID Attribute contains a unique identifier from Onfido. For example:

uc_onfido_attribute
uc_onfido_attribute1526×132 24.5 KB

Additional resources

A comprehensive approach to CIAM vendor selection
ForgeRock Identity Cloud: Easily enable identity into applications