1Kosmos integrates with ForgeRock to deliver biometric passwordless authentication and identity verification across ForgeRock-managed applications and authentication journeys.
Integration type
SSO
Updated
Overview
1Kosmos integrates with ForgeRock by acting as the upstream identity provider or as an authentication node within ForgeRock's journey (tree) framework. This allows ForgeRock's existing application portfolio to benefit from 1Kosmos biometric verification and identity proofing without modifying the downstream applications themselves.
In a SAML-based integration, ForgeRock is configured as the SAML service provider and 1Kosmos as the SAML identity provider. ForgeRock's federation services use the standard SAML 2.0 protocol and support both hosted and remote entity configurations. The integration uses ForgeRock's Realms and Federation configuration in the ForgeRock admin console to register 1Kosmos as a remote identity provider.
For identity verification use cases, 1Kosmos can be invoked as an authentication node within a ForgeRock journey, allowing organizations to trigger IDV at specific steps in a login flow (e.g., during onboarding, high-risk transactions, or privileged access requests) without a full SAML federation setup.
Prerequisites
Active 1Kosmos tenant: Administrator access to the AdminX portal with IDV enabled. Contact 1kosmos.com/contact if not yet provisioned.
ForgeRock / PingOne Advanced Identity Cloud access: Administrator access to the ForgeRock admin console with permission to configure federation settings and authentication journeys.
ForgeRock version: SAML federation is available in ForgeRock Access Management (AM) 6.0 and later, and in PingOne Advanced Identity Cloud. Confirm your version supports the SAML 2.0 IdP registration path.
1Kosmos SAML metadata: Collect the 1Kosmos metadata XML or URL from AdminX before beginning ForgeRock configuration.
1Kosmos mobile app installed: Users must have the app on iOS or Android with biometrics enrolled before testing.
Configuration values
Values to collect from 1Kosmos AdminX (IdP) for ForgeRock:
Field | Where to find it |
|---|---|
SAML Metadata URL or XML | AdminX → Settings → IdP Configuration → Metadata URL |
SSO URL | AdminX → Settings → IdP Configuration → Single SignOn Service URL |
IdP Entity ID | AdminX → Settings → IdP Configuration → Core Configuration |
Signing Certificate (PEM) | AdminX → Settings → IdP Configuration → View Certificate → Public Key |
Values to collect from ForgeRock (SP) for AdminX:
Field | Where to find it |
|---|---|
SP Entity ID | ForgeRock admin console → Realms → [realm] → Applications → Federation → Entity Providers → [SP entity] → Entity ID field |
ACS URL | SP entity configuration → Assertion Consumer Service tab → ACS URL |
SP Metadata (optional) | Export SP metadata from the Entity Providers screen |
Integration steps
Step 1: Register 1Kosmos as a remote identity provider in ForgeRock
Log in to the ForgeRock admin console and select the appropriate Realm.
Navigate to Applications → Federation → Entity Providers.
Click Import Entity and upload the 1Kosmos SAML metadata XML, or select Remote and enter the 1Kosmos metadata URL. ForgeRock will populate the entity configuration from the metadata.
After import, configure the 1Kosmos entity as a trusted identity provider by adding it to the active Circle of Trust for your realm under Federation → Circles of Trust.
Step 2: Configure the ForgeRock hosted SP entity
In ForgeRock, navigate to Entity Providers and select or create the hosted service provider entity for your realm.
Confirm the Entity ID and ACS URL values. Note these for use in AdminX.
Under the IDP Adapters or Authentication Settings, configure the identity provider to use 1Kosmos for authentication requests by selecting the 1Kosmos entity as the remote IdP for the applicable authentication flow or journey.
Step 3: Add ForgeRock as a SAML application in AdminX
Log in to the AdminX portal and navigate to Applications → Add Application.
Scroll to Custom App, select SAML 2.0 Generic, and click Add integration.
Enter "ForgeRock" as the Application Name, set Instance to Production, and enter the ForgeRock login URL as the Application Access URL. Click Next.
Set NameID Format to
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddressand NameID Value toemail. Add claims for email, first name, and last name. Click Next.Enter the ForgeRock SP Entity ID and ACS URL. Enable Assertion signing and click Save.
Step 4: Test the integration
Navigate to a ForgeRock-protected application or the ForgeRock login page and initiate the SSO flow.
Confirm you are redirected to 1Kosmos. Authenticate biometrically and confirm you are returned to the ForgeRock application with valid session access.
Attribute mappings
Source (1Kosmos) | Target (ForgeRock) | Description |
|---|---|---|
user.email | mail / NameID | Primary identifier for user lookup in ForgeRock's directory |
user.firstName | givenName / cn | User first name |
user.lastName | sn | User last name |
Integration notes
ForgeRock rebranded to PingOne Advanced Identity Cloud following Ping Identity's acquisition. If your deployment uses older ForgeRock Access Management branding, the federation configuration paths described here remain accurate.
For organizations using ForgeRock as a central IAM hub with dozens of downstream SAML-connected applications: integrating 1Kosmos at the ForgeRock layer means all connected applications gain biometric authentication through a single configuration point without requiring individual SAML changes to each downstream app.
Reach out to your 1Kosmos representative for guidance on the authentication node integration path if you prefer to invoke 1Kosmos within ForgeRock journeys rather than federating at the IdP level.
