ForgeRock Intelligent Authentication - Authentication Trees, Signals & Nodes

As part of our Intelligent Authentication initiative in Access Management (AM), which was announced with the launch of the ForgeRock Identity Platform 6.0, ForgeRock has built a new technology that we’re calling Authentication Trees. Our aim is to give our customers the most flexible framework to define their end users’ authentication experience and empower them to build trusted digital relationships. We’ve given the ForgeRock Technology Partners a head start in experimenting with Trees to expose their services on our platform. With the upcoming launch, I wanted to share with you how Authentication Trees works, and highlight the experience some of our partners have had so far.

Authentication Trees provides fine-grained authentication by allowing multiple paths and decision points throughout the authentication flow. Trees are made up of authentication nodes, which define actions taken during authentication. Unlike authentication modules used in prior versions of the platform, nodes are a small unit of work which have a single purpose. You combine them together to define your unique user experience. A node may do a simple action such as collect a username, a type of collector node. A node may make an authentication decision based on your username and password, a type of decision node. A node may require the end user to authenticate via their mobile phone, a type of out of band authentication node. Or a node may branch a Tree based on the type of device the user is on, a type of signal node. These are just a few examples of the configurability that Trees offers.

Below is an example of a simple Authentication Tree which is configured to collect a username and password and check against the data store. Notice that if the data store decision is false, the Authentication Tree will start the flow over again.

Authentication Trees in Action
Authentication Trees


Not only are Authentication Trees easy to use for an administrator, Nodes were designed to be easy to build and customize. As a developer, you can build nodes in three languages, Java, JavaScript and Groovy. When writing a node, you now have the option to define a custom “outcome provider.” A single outcome provider lists all the possible outcomes that a node could have. For example, the LDAP Decision node below contains outcomes of true, false, locked, and expired. To learn more about how to build a node, check out fellow ForgeRocker Jamie Bowen’s blog.


Authentication Trees


While AM in the 6.0 platform will include over 40 nodes out of the box, the backstage marketplace has community-contributed nodes as well as nodes built by the ForgeRock Technology Partners.

One of our partners, Intensity Analytics, provides a frictionless adaptive authentication solution which uses your physical behavior to decide whether you are the person behind the keyboard or mobile screen. Jonathan Galentine, a Senior Developer at Intensity explained how Authentication Trees streamlined the integration process. “Thanks to ForgeRock's stellar Authentication Tree framework, we were able to protect user logins with TickStream.KeyID behavioral analytics faster than any previous integration.” Through the simplicity of Authentication Trees, we’re able expose services like KeyID to ForgeRock customers.

HYPR, another ForgeRock Technology Partner, provides a Decentralized Authentication service which minimizes the risk of enterprise data breaches while providing a secure password-less experience for customers and employees. Bojan Simic, Chief Technology Officer at HYPR talked about their experience: “Authentication Trees offer unparalleled flexibility when deploying HYPR Decentralized Authentication. From an integration perspective, ForgeRock has simplified the process orders of magnitude when compared with other identity frameworks. The ease of use really stands out and empowers our customers to securely bridge the gap between Identity and Authentication.”

Intelligent Authentication impacts every step of identity and access management. Authentication Trees are easily configurable for administrators, nodes are simple to build for developers, and the system is effective for protecting end users. If you’re looking to increase the flexibility and simplicity of the user experience, or are interested in exposing your services to ForgeRock customers, check out the ForgeRock Identity Platform. To learn more about Intelligent Authentication, visit here.