ForgeRock with F5 Distributed Cloud (XC) Account Protection and Authentication Intelligence


Can you think of a person you know who has experienced fraud? Surveys suggest that 1 in 3 global consumers have experienced fraud in the past 3 months. For businesses that means higher churn, revenue loss and potential fines. F5 recognizes the impact on consumers and businesses when fraud occurs. As such, F5 XC's Account Protection and Authentication Intelligence services are now available with ForgeRock empowering ForgeRock customers to slash fraud and abuse, increase top-line revenue and remove log-in friction from legitimate users.

Who is ForgeRock?

ForgeRock is a global leader in identity, orchestration and access decisioning. Specifically, ForgeRock Identity Platform is AI-powered consisting of identity management, access management, identity governance and universal directory with dynamic lifecycle orchestration able to send rich signals amongst the digital enterprise. They offer cloud and hybrid environments reaching more than 1,300 customers around the world.  

Let's get started by walking through how we can enable account protection and authentication intelligence with the ForgeRock plugin!

Deployment Steps



  1. Tomcat 9
  2. Java 8 or above
  3. Forgerock Open AM (7.1.2)

F5 provided 

  • API Hostname
  • Frontend/Backend JS path
  • Customer ID (can be customized by customer)
  • Cookie name (can be customized by customer)
  • Decryption Key for Cookie

Step 1: Create the F5 .jar file

The first step will be to visit the ForgeRock backstage and type in "F5".  Next choose, "F5 Auth Tree Nodes" which will land at this page


  Figure 1:  F5 Auth Tree Node backstage landing page 

Following the steps above will create the specific F5 XC nodes which are required for building the tree.

Step 2: Building the tree

Once logged into ForgeRock, click on Top Level Realm > Authentication Trees > Create Tree > Name the tree > Create.

From here we begin to build the tree with the nodes we created from the .jar file as well as some of the existing ForgeRock built-in nodes.

Figure 2: Creation of new tree

The most important node is the "F5 XC FR Configuration" node which houses the service specific information as well as the defined attributes for Account Protection and Authentication Intelligence. 

Figure 3: F5 XC FR Configuration node

Please note that Authentication Intelligence endpoint configurations are the same as Account Protection endpoint configurations.  

The completed tree will look like this

Figure 4: Completed Authentication tree

This integration is based upon encrypted cookies which are used to send the fraud recommendations from F5 XC. The cookie is collected from the website by the "F5 XC Analyze" node and then is decrypted by the "F5 XC Account Protection" node. For the protected endpoints, the "FR" value is read and then an action is then taken based upon the customers configurations as defined in the "F5 XC FR Configuration" node. 

For Authentication Intelligence, if enabled, a legitimate user's session is extended beyond the default timeout.  The ForgeRock plug-in will use an encrypted persistent cookie which is saved in the client's browser and maintains the user session details and remains even when the user closes the browser.  

Step 3: Validating the AP configurations

In this example, to demonstrate the power of Account Protection, let's say a merchant is protecting his "Shop" endpoint. A user visits the website and makes more than 2 orders and then visits the protected "Shop" endpoint. Based upon the collected telemetry the recommendation comes back as fraud. The previously defined action in the ForgeRock tree is to redirect the user.  

Figure 5: User triggering redirection action 

Next we can see the webpage begins to take the action of redirect as per the pre-configured action based upon the fraud recommendation.

Figure 6: Endpoint beginning the redirection 

And then the actual website used for redirection.

Figure 7: Successful redirection of the user

Step 4: Validating the AI configurations

Starting off in the ForgeRock Access Manager, we see the flag for JS injection is ON, the default session is set for 2 minutes, Authentication Intelligence is Enabled, and the action for the "" endpoint is extend. 

 Figure 8: Configuration of Authentication Intelligence within ForgeRock Access Manager 

After the "e1" user logs into the endpoint, despite it having an action of extend, the recommendation for that user is ineligible as seen below. This means that the user is ineligible for a session extension, so the session will be the default of 2 minutes.

 Figure 9: Ineligible user for session extension

After two minutes and a refresh of the page, user "e1" has been logged out.

Figure 10: Completed action to log out user after 2 minutes 

Now let's say that the recommendation comes back as eligible for a session extension of 7 days. 

Figure 11: User eligible for 7 day session extension

 This can be verified under the Identities menu in the ForgeRock Access Manager.

Figure 12: Access was extended to 7 days 

Please note that "dc" value in the content of the cookie is being shown in plain text for illustrative purposes, in a production environment, the "dc" value is stored inside encrypted content.

The availability of F5 XC Account Protection and Authentication Intelligence on ForgeRock's Identity Platform creates the perfect synergy to help further protect users from fraud and risk as well as reducing log-in friction.  It's a win-win!

Additional Resources

Enabling F5 Distributed Cloud Fraud and Risk Services with ForgeRock Connector Video: HERE 

Enabling F5 Distributed Cloud Fraud and Risk Solutions with ForgeRock Connector DevCentral article: HERE

ForgeRock Marketplace Backstage: HERE

F5 Download Integration: HERE


Updated May 12, 2023
Version 2.0

Was this article helpful?

No CommentsBe the first to comment