Page tree
Skip to end of metadata
Go to start of metadata


  • Chains are linear, and are very difficult to introduce the concept of choice into
  • Modules try and be complete answers to particular forms of authentication, but result in needing to know how to switch off the bits you don't actually need
  • The Chain/Module-based authentication framework contains a number of authentication features (e.g. zero-page login) built into the framework, that are difficult to opt-out of


  • Authentication Trees are a completely re-imagined mechanism for implementing your authentication flows
  • Each "tree" is made up of a number of "nodes" joined together in a flow structure to enable the admin user to create exactly the authentication experience they want for their users
  • Individual nodes perform single, simple operations - for example:
    • collect a username from the user
    • collect a password from a user
    • evaluate an already-collected username and password against the Identity Repository
    • make a scripted decision
    • ask the user to make a choice
  • Nodes are designed to be very extensible - only the bare minimum required to make trees work are included out-of-the-box, others are drop-in jar files
    • Drop-in jar files are made possible by a new plugin framework that gives the extension developer full control of the plugin lifecycle (including plugin upgrades and AM upgrades)
    • No need for any CLI interaction to enable a plugin - plugins will be discovered on server start, and either installed with server installation, or if not present at that time, as soon as discovered
  • Extensive library of drop-in jar files will be available as samples on the ForgeRock github page once AM 5.5 has been released
  • Simple, easy to understand UI for configuration
  • Not currently recommended for production deployment


  • Authentication Trees are intended to completely replace Authentication Chains in the future - but probably not in AM 6.0
  • At the point at which chains are removed, it is intended that an automatic upgrade process will be included that will replace known modules with equivalent nodes, and will wrap unknown (custom) modules in a node wrapper that knows how to invoke the original module. Existing chains will then be automatically replaced with trees that implement the same authentication flow.

  • No labels