Use case: Configure low-code intelligent workflow scenarios in ForgeRock Identity Cloud

Use case overview

Journeys in ForgeRock Identity Cloud provide an end-to-end workflow that controls the end user experience when authenticating or using self-service. Journeys are extremely flexible and can invoke activities based on many conditions such as user attributes, device types or contextual signals.

Using a simple drag-and-drop editor you can easily build journeys in a tree structure. A journey is made of nodes, which are the building blocks for creating a logical flow within the journey.

ForgeRock provides over 100 ready-to-use nodes that broadly fit into three different categories:

  • Information capturing nodes: These nodes perform actions such as prompting the user, deriving information from the user’s device, assessing user risk information, calling information from a user profile, and making API calls to an external service.

  • Decision nodes: These nodes have two or more outputs. They provide the intelligence to the journey and make decisions based on the outcome, by adapting or changing the direction of the journey.

  • Action nodes: These nodes perform some type of activity such as account lockout, triggering step-up, or sending emails.

In addition to these nodes, inner journeys can be used for subroutines within your journeys.

See Journeys for further information on the types of journey you can create.

Intelligent workflow journey - example

This use case provides the following example journey, which is configured with a variety of out-of-the-box nodes to demonstrate branching on attribute data, contextual conditions, and session data. The example demonstrates the power of layered defense in an orchestration-based identity flow and also provides an example of the implementation of a “passwordless experience”.

Tip: Click or double-click on the screenshot above to view it more clearly.

The journey demonstrates many low-code intelligent workflow capabilities, including:

  • A security-enhanced session with device recognition and device profile record.
  • Secure persistent session data to enhance the end user experience.
  • MFA enrollment and preference collection.
  • Enhanced security for passwordless login.
  • Account status recognition and self-service secure activation and unlock.
  • Nested reusable workflows (inner journeys)

A detailed description of the journey flow can be found later in this article.

Get the journey

You can download the example journey from the ForgeRock Community GitHub here.

Once you have downloaded the journey, you will need to import it into your Identity Cloud tenant.

Note that in addition to the Intelligent Workflows journey, three inner tree journeys are also imported: Baseline-UpdateMFA, Baseline-Passwordless, ResetPassword.

Set the persistent cookie

Before you can use the journey, you’ll need to set the HMAC Signing Key in the Persistent Cookie Decision node and Set Persistent Cookie node. Values must be base64-encoded and at least 256 bits (32 bytes) long.

  1. Generate an HMAC signing key by running one of the following commands:

    $ openssl rand -base64 32
    

    or

     $ cat /dev/urandom | LC_ALL=C tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1|base64
    
    
  2. Click on the Persistent Cookie Decision node and enter the generated HMAC Signing Key.

  3. Click on the Set Persistent Cookie node and enter the generated HMAC Signing Key.

  4. Click Save to save the journey.

See Persistent Cookie Decision node and Set Persistent Cookie node for further information on these nodes.

Journey description

Tip: Click or double-click on the screenshot above to view it more clearly.

The journey has the following flow:

  1. The Device Profile Collector node gathers metadata about the device used to authenticate.

  2. The Persistent Cookie Decision node checks for the existence of the persistent cookie specified in the Persistent Cookie Name property (session-jwt). This would have been set on a previous execution of the Set Persistent Cookie node from Step 11, demonstrating the power of Journeys beyond the current execution and user session.

    If the persistent cookie is not present, the journey continues to Step 4.

  3. If the persistent cookie is present, the Identify Existing User node verifies that a user matching the persistent session identity attribute (_id) exists in Identity Cloud. This facilitates a passwordless and usernameless experience.

    a. If the user exists in Identity Cloud, the Device Match node compares any collected device metadata with that stored in the user’s profile. This provides a security check that not only performs the session match but checks that the device is the same one used last time.

    b. If the device metadata matches the device metadata stored in the user’s profile, the Passwordless Enrolled? node (Attribute Present Decision node) checks if an attribute is present on the user object (profile) for user MFA preference.

    c. If the attribute is present (MFA Preference is set), the Present Passwordless node (Inner Tree Evaluator node) initiates the Baseline-Passwordless inner tree (note that Push MFA has been disabled in the journey). After passing passwordless authentication, the journey resumes at Step 11 (Set Persistent Cookie).

    d. If a device match is false or unknown, or passwordless has not been enrolled, the user is presented with a Page Node that offers the option to sign in with the existing session username and user-supplied password.

    After the user supplies the password matching their stored username, the path continues to Step 5 (Identity Store Decision).

  4. If the persistent cookie is not present or a matching user does not exist in Identity Cloud, the user is presented with a Page Node (“no cookie”) that offers the option to sign in with a username and password.

    After the user supplies their username and password, the path continues to Step 5 (Identity Store Decision).

  5. The Identity Store Decision node verifies that the username and password values match those stored and evaluates the account status in the Identity Cloud identity store. The node has the following outcomes:

    • True - the journey continues to Step 6
    • Locked - the journey continues to Step 9
    • Cancelled or Expired - the journey continues to Step 10
    • False - login fails
  6. If the username and password values match the Identity Cloud identity store, the Passwordless Enrolled? node (Attribute Present Decision node) checks if an attribute is present on the user object (profile) for user MFA preference.

    If the attribute is present (true path), the journey continues to Step 11 (Set Persistent Cookie).

  7. If an attribute is not present (false path), the Login Count Decision node compares the user’s login count property against a specified condition to determine if the user should be asked if they’d like to enroll in passwordless.

    If the condition is not met (false path), the journey continues to Step 11 (Set Persistent Cookie).

  8. If the login count property condition is met (true path), the Enroll in Passwordless? node (Choice Collector node) gives the user the option to enroll with passwordless login.

    The journey continues as follows:

    a. If the user chooses to enroll in passwordless, the Attribute Collector node collects the user’s email address.

    b. The Set up MFA (Inner Tree Evaluator) then initiates the Baseline-UpdateMFA inner tree (Push MFA has been disabled in the journey).

    The journey then continues to Step 11 (Set Persistent Cookie).

  9. If the user’s account is locked, the Account Locked node (Message node) displays a message to send an email to unlock the account.

    The journey continues as follows:

    a. If the user answers “Yes” then the Email Supend node sends an email to the user, with a link to return to this node.

    b. Once the user responds, the Account Lockout node unlocks the account following user action.

    The journey then continues to Step 11 (Set Persistent Cookie).

  10. If the user’s account is cancelled or has expired, the Change password? node (Message node) displays a message to reset password or manage password reset later.

    a. If the user chooses to reset their password, the Reset Password node (Inner Tree Evaluator node) initiates the ResetPassword inner tree.

  11. The Set Persistent Cookie node creates a persistent cookie.

  12. The device profile is then saved in the Device Profile Save node.

  13. The user’s login count is incremented using the Increment Login Count node.

Test the end user journey

This test demonstrates an end user logging in for the first time from a new device with the example intelligent workflows journey.

Prerequisites:

  • The test end user already exists in Identity Cloud for the configured realm.
  • The test end user does not have an MFA preference selected (i.e. the frIndexedMultivalued2 property for the test user is empty)
  • Push MFA has been disabled in the journey
  • The MFA method used in our example is Web Authentication (WebAuthn)
  • Cookies have been cleared to ensure the persistent session is removed

To test the end user journey:

  1. In the Identity Cloud admin UI, go to Journeys.

  2. Click the intelligent workflows journey and copy the Preview URL.

    uc_preview_url

  3. Paste the preview URL into a browser using Incognito or Browsing mode.

    A login screen is displayed indicating that there is no persistent cookie.

  4. Enter the test user’s username and password and click Next.

    uc_no_cookie_login

  5. Select the method for future logins and click Next. In our example, we are choosing to log in without passwords.

    uc_hate_passwords

  6. Confirm the email address and click Next.

    uc_confirm_email

  7. Click Continue to register the device.

  8. Scan your fingerprint when prompted, for example with Touch ID:

    uc_scan_fingerprint

Once your identity has been verified and the device has been associated with the account you are successfully logged in as the test user.

Next time you log in as the test user using the same journey you won’t be asked for a password, just a username and fingerprint scan.

Conclusion

This use case has demonstrated how you can easily construct low-code intelligent workflow journeys in Identity Cloud. Journeys can include contextual nodes for securely storing and retrieving persistent session information, and evaluating the information within the context of the user’s device and user MFA preferences.

Inner Tree Evaluator nodes provide nested functions that demonstrate the power of reusable logic. If more specific or sophisticated functionality is required, simple Javascript Scripted Decision nodes can be used.

You may wish to extend your journeys further, for example by incorporating Autonomous Access to protect against fraud.

Additional resources

Documentation:

Training videos:

Community articles:

Acknowledgements: Ames Fowler

1 Like