Forgerock AM Node v1.1
PREVIEW RELEASE of an authentication node for ForgeRock's Identity Platform that protects the login process with TickStream.KeyID. With TickStream.KeyID a user's typing behavior can be passively or actively enrolled and evaluated to provide an advanced second factor behavioral biometric.
For evaluation licenses please contact email@example.com
The code in this repository has binary dependencies that live in the ForgeRock maven repository. Maven can be configured to authenticate to this repository by following the following ForgeRock Knowledge Base Article.
Copy the .jar file from the ../target directory into the ../webapps/openam/WEB-INF/lib directory where AM is deployed. Restart the AM service to load the TickStream.KeyID authentication tree node. The TickStream.KeyID components will then be available for use in the Authenticaton Tree designer.
To protect logins with TickStream.KeyID you must configure the Authentication Tree to use the TickStream.KeyID Login Form and TickStream.KeyID nodes.
The TickStream.KeyID node evaluates the login data captured by the login form. Typically the node is placed after the password has been authenticated. You must provide the webservice URL and authentication key for your TickStream.KeyID server. There are several additional configuration operations that let you customize the login process.
|Connection Timeout||TickStream.KeyID web service connection timeout in milliseconds|
|Reset Profile||Reset TickStream.KeyID profile after verification|
|Validation / Enrollment|
|Passive / None||Always allow the user access, do not enroll the profile|
|Passive / Passive||Always allow the user access, passively enroll the profile|
|Active / None||Gate user access, do not enroll the profile|
|Active / Passive||Gate user access, passively enroll profile with each subsequent login|
|Active / Active||Gate user access, actively enroll profile until it is complete|
|Custom Threshold||Provide a custom threshold different than the TickStream.KeyID server setting|
|Threshold Confidence||Custom threshold confidence value (integer)|
|Threshold Fidelity||Custom threshold fidelity value (integer)|
|Grant On Error||Allow access if there is an error communicating with the TickStream.KeyID web service|
Passwords used for enrollment should be at least 10 characters. With the TickStream.KeyID Auth Tree Node you may configure enrollment to be 'active' or 'passive'. In the active scenario shown above, a user will be prompted to enter their password repeatedly until the behavior profile is complete. In a passive scenario, the user profile will be built over subsequent logins.
When a user's password is reset, the user's TickStream.KeyID profile must also be reset using the TickStream.KeyID web service. Because the password reset process is environment and deployment specific, we only provide a simple scenario using authentication trees for demonstration purposes.
You can construct an password reset authentication tree using TickStream.KeyID components and the ForgeRock Set Profile Property Authentication Node. Construct an authentication tree as shown in the above diagram. Configure the TickStream.KeyID node normally and enable the
Reset Profile option and disable Profile and Passive enrollment. Configure the Set Profile Property node to have a key of
userPassword and a value of
When accessing the authentication tree, the user will be prompted to provide their username and password, the password and typing behavior will be validated, the user prompted for a new password and the KeyID profile and user password changed.
Errors, warnings and messages are logged in the
openam/openam/debug/KeyIDNode file. You may configure the logging level in AM by going to the
openam/Debug.jsp page. Only errors are logged when the AM service is started by default.