Identity Cloud

Test push authentication

Identity Cloud presents you with a page for entering only your user ID, or user ID and password. After you provide those credentials, Identity Cloud verifies them. If your credentials are valid and the account has a device registered for push notifications, Identity Cloud sends a push notification to the registered device.

If the user does not yet have a device registered for push authentication, refer to Register.

The device needs access to the Internet to receive push notifications, and Identity Cloud must be able to receive responses from the device.

Receive push notifications

On your registered device, you will receive a push notification from Identity Cloud. Depending on the state of the device and the ForgeRock Authenticator application, respond to the notification as follows:

  • Unlock the device, if necessary, when you receive a device notification from the application.

    The ForgeRock Authenticator application opens and displays the push notification.

  • If the device is unlocked, but the ForgeRock Authenticator application is not open, select the device notification to open the application and display the push notification.

  • Open the ForgeRock Authenticator application to respond quickly to notifications.

Approve requests

How you approve requests depends on the ForgeRock Authenticator application settings, and on what the device supports.

Default settings for push notifications use a simple pop up in the application, similar to the following:

Approve the request by clicking Accept.

Deny requests

Deny the request by tapping the cancel icon in the top-right of the screen or, if Touch ID or face recognition are enabled, tap the Reject button.

If you do not approve or deny the request on the registered device, the Push Authentication page times out and authentication fails.

You can configure this through the Message Timeout in the Push Sender node for the journey.


If your credentials are valid but your profile is missing the metadata for a registered device registered, the MFA Registration Options node of the journey governs what happens:

Default text of the MFA Registration Options node.
Register Device

Configure the journey to continue to the Push Registration node.

When completing the journey, scan the QR code it displays with the ForgeRock Authenticator application.

Get the application

Configure the journey to continue to the Get Authenticator App node.

When completing the journey, follow the link needed to obtain the ForgeRock Authenticator application for your device.

Skip this step

(Optional) In the example journey, skipping is linked to the Success node.


Configure the journey to continue to the Opt-out Multi-Factor Authentication node and let the user not use push.

In the example journey, opting out is linked to the Success node.

Configure successful registration to return to the Push Sender node, which starts the actual push notification stage of the journey, and the user can Receive push notifications.

Copyright © 2010-2024 ForgeRock, all rights reserved.