Push Sender node

Sends push notification messages to a device for multi-factor authentication.

Configure the AM Push Notification Service for the realm before using this node.

For information on provisioning the credentials used by the service, refer to How To Configure Service Credentials (Push Auth, Docker) in Backstage in the ForgeRock Knowledge Base.

To determine whether the user has a registered device, the flow must have included the username in the shared state, for example, by using a Platform Username node.

Compatibility

Product	Compatible?
Advanced Identity Cloud	Yes
PingAM (self-managed)	Yes
Ping Identity Platform (self-managed)	Yes

Product

Compatible?

Advanced Identity Cloud

Yes

PingAM (self-managed)

Yes

Ping Identity Platform (self-managed)

Yes

Authenticators

The push-related nodes integrate with the ForgeRock Authenticator app for Android and iOS.

Third-party authenticator apps are not compatible with ForgeRock’s push notification functionality.

Outcomes

Sent
Not Registered
Skipped
Failure

Evaluation continues along the Sent outcome path if the push notification was successfully sent to the handling service.

If the user doesn’t have a registered device, evaluation continues along the Not Registered outcome path.

If the user chooses to skip push authentication, evaluation continues along the Skipped outcome path.

The node displays the Failure outcome only if you enable the Capture failure configuration option. In this case, evaluation proceeds along the Failure path if there is an error during execution of the node.

Properties

Property Usage

Property	Usage
Message Timeout	Specifies the number of milliseconds the push notification message will remain valid. The Push Result Verifier node rejects responses to push messages that have timed out.
User Message	Specifies the optional message to send to the user. You can provide the message in multiple languages by specifying the locale in the `KEY` field; for example, `en-US`. The locale selected for display is based on the user’s locale settings in their browser. Messages provided in the node override the defaults provided by AM. The following variables can be used in the `VALUE` field: `{{user}}` Replaced with the username value of the account registered in the ForgeRock Authenticator application, for example Demo. `{{issuer}}` Replaced with the issuer value of the account registered in the ForgeRock Authenticator application, for example, ForgeRock. Example: `Login attempt from {{user}} at {{issuer}}.`
Remove 'skip' option	Enable this option in the node to make the push authentication mandatory. When disabled, the user can skip the push authentication requested by the node, and evaluation continues along the `Skipped` outcome path. Default: Disabled
Share Context info	If enabled, context data such as `remoteIp`, `userAgent`, and `location` are included in the notification payload. For example: `{ "location": { "latitude": 49.2208569, "longitude": -123.1174431 }, "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36", "remoteIp": "9.9.9.9" }` The ForgeRock Authenticator displays this additional information to the user to help verify that the request is genuine and initiated by them. Figure 1. Context information in the ForgeRock Authenticator For the location attribute to be set, the flow must contain a Device Profile Collector node with Collect Device Location enabled.
Custom Payload Attributes	Specify shared state objects to be included in the message payload sent to the client. The size of the payload must not exceed 3 Kb or a `NodeProcessException` is thrown. To add a custom attribute, enter the shared state object name in the text field and click Add. Repeat for each object you want to include in the payload.
Push Type	Select the type of the push authentication the user must perform on their device to continue the journey. Possible values are: `Tap to Accept` (default) Requires the user to tap to accept. `Display Challenge Code` Requires the user to select one of three numbers displayed on their device. This selected number must match the code displayed in the browser for the request to be verified. `Use Biometrics to Accept` Requires the user’s biometric authentication to process the notification. The actions the user performs vary depending on the selected option. Refer to Respond to push notifications.
Capture failure (optional)	If enabled, and the node fails to send the Push Notification, the journey skips the node. The journey stores the reason for the failure in the `PushAuthFailureReason` key in the shared state for use by subsequent nodes in the journey. Possible failure reasons include `MISSING_USERNAME`, `SENDER_ALREADY_USED`, `CTS_ERROR`, and `TRANSMISSION_FAILURE`.

Message Timeout

Specifies the number of milliseconds the push notification message will remain valid. The Push Result Verifier node rejects responses to push messages that have timed out.

User Message

Specifies the optional message to send to the user.

You can provide the message in multiple languages by specifying the locale in the KEY field; for example, en-US.

The locale selected for display is based on the user’s locale settings in their browser.

Messages provided in the node override the defaults provided by AM.

The following variables can be used in the VALUE field:

{{user}}: Replaced with the username value of the account registered in the ForgeRock Authenticator application, for example Demo.
{{issuer}}: Replaced with the issuer value of the account registered in the ForgeRock Authenticator application, for example, ForgeRock.

Example: Login attempt from {{user}} at {{issuer}}.

Remove 'skip' option

Enable this option in the node to make the push authentication mandatory.

When disabled, the user can skip the push authentication requested by the node, and evaluation continues along the Skipped outcome path.

Default: Disabled

Share Context info

If enabled, context data such as remoteIp, userAgent, and location are included in the notification payload.

For example:

{
  "location": {
    "latitude": 49.2208569,
    "longitude": -123.1174431
  },
  "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36",
  "remoteIp": "9.9.9.9"
}

The ForgeRock Authenticator displays this additional information to the user to help verify that the request is genuine and initiated by them.

Figure 1. Context information in the ForgeRock Authenticator

For the location attribute to be set, the flow must contain a Device Profile Collector node with Collect Device Location enabled.

Custom Payload Attributes

Specify shared state objects to be included in the message payload sent to the client. The size of the payload must not exceed 3 Kb or a NodeProcessException is thrown.

To add a custom attribute, enter the shared state object name in the text field and click Add. Repeat for each object you want to include in the payload.

Push Type

Select the type of the push authentication the user must perform on their device to continue the journey.

Possible values are:

Tap to Accept (default): Requires the user to tap to accept.
Display Challenge Code: Requires the user to select one of three numbers displayed on their device. This selected number must match the code displayed in the browser for the request to be verified.
Use Biometrics to Accept: Requires the user’s biometric authentication to process the notification.

The actions the user performs vary depending on the selected option. Refer to Respond to push notifications.

Capture failure (optional)

If enabled, and the node fails to send the Push Notification, the journey skips the node. The journey stores the reason for the failure in the PushAuthFailureReason key in the shared state for use by subsequent nodes in the journey.

Possible failure reasons include MISSING_USERNAME, SENDER_ALREADY_USED, CTS_ERROR, and TRANSMISSION_FAILURE.

Example

The following example shows one possible implementation of multi-factor push authentication:

Node connections

Table 1. List of node connections
Source node	Outcome path	Target node
Page Node containing: Platform Username, Platform Password	→	Data Store Decision
Data Store Decision	True	Push Sender
Data Store Decision	False	Failure
Push Sender	Sent	Push Wait
Push Sender	Not Registered	MFA Registration Options
Push Wait	Done	Push Result Verifier
Push Wait	Exit	Recovery Code Collector Decision
Push Result Verifier	Success	Success
	Failure	Failure
	Expired	Push Sender
	Waiting	Push Wait
MFA Registration Options	Register	Push Registration
	Get App	Get Authenticator App
	Skip	Success
	Opt-out	Opt-out Multi-Factor Authentication
Recovery Code Collector Decision	True	Success
Recovery Code Collector Decision	False	Retry Limit Decision
Push Registration	Success	Recovery Code Display Node
	Failure	Failure
	Time Out	MFA Registration Options
Get Authenticator App	→	MFA Registration Options
Opt-out Multi-Factor Authentication	→	Success
Retry Limit Decision	Retry	Recovery Code Collector Decision
Retry Limit Decision	Reject	Failure
Recovery Code Display Node	→	Push Sender

After verifying the user’s credentials, evaluation continues to the Push Sender node.

If the user has a registered device:

AM sends a push to their registered device.
The Push Wait node pauses authentication for 5 seconds, during which time the user can respond to the push notification on their device; for example, by using the ForgeRock Authenticator application.
- If the user responds positively, they are authenticated successfully and logged in.
- If the user responds negatively, they are not authenticated successfully and do not receive a session.
- If the push notification expires, AM sends a new push notification.
  
  Use a Retry Limit Decision node to constrain the number of times a new code is sent.
- If the user has not yet responded, the flow loops back a step and the Push Wait node pauses authentication for another 5 seconds.
If the user exits the Push Wait node, they can enter a recovery code in order to authenticate.

For this situation, configure the Exit Message property in the Push Wait node with a message, such as Lost phone? Use a recovery code.

A Retry Limit Decision node allows three attempts at entering a recovery code before failing the authentication.

If the user does not have a registered device:

The MFA Registration Options node presents the user with the following options:

Register Device

The flow continues to the Push Registration node, which displays the QR code that should be scanned with a suitable authenticator application.

Get the App

The flow continues to the Get Authenticator App node, which displays the links needed to obtain a suitable application, such as the ForgeRock Authenticator.

Skip this step

Displayed only if the node configuration lets the user skip. In this example, skipping is linked to the Success outcome. Alternatively, an Inner Tree Evaluator node could have been used for authentication.

Opt-out

Displayed only if the node configuration allows the user to skip or opt out. Evaluation continues to the Opt-out Multi-Factor Authentication node, which updates the user’s profile to skip MFA with push in the future. In this example, after updating the profile the flow continues to the Success node.
The user registers the device with the Push Registration node.

After registration, the recovery codes are displayed to the user for safekeeping, and evaluation continues with the Push Sender node to start push notification.

To manage push devices, the user must log in using either the device or a recovery code.

For more information, refer to Manage devices for MFA.

Respond to push notifications

The default Push Type setting is Tap to Accept. This requires the user to tap to either Accept or Reject in the ForgeRock Authenticator.

Figure 2. Tap to Accept (Default)

Research shows that users might accept a push authentication without fully checking if it is legitimate. To reduce the chances of a user accepting a malicious push authentication attempt, you can configure two additional push types:

Display Challenge Code: Requires the user to select one of three numbers displayed on their device. This selected number must match the code displayed in the browser for the request to be verified.

Figure 3. Challenge code

Use Biometrics to Accept: Requires the user’s biometric authentication to process the notification, after tapping Accept or Reject.

Figure 4. Biometric authentication required