Solutions

User cannot log in using Push authentication in AM (All versions) and OpenAM 13.5

Last updated Jul 9, 2018

The purpose of this article is to provide assistance if a user cannot log in using Push authentication in AM/OpenAM.


Symptoms

The user cannot log in using Push authentication.

You see the following error when a user attempts to log in using Push authentication:

{"code":500,"reason":"Internal Server Error","message":"Authentication Error!!"}

An error similar to the following is shown in the CoreSystem debug log when this happens:

Formatted event: "de6427e2-4671-9359-aff9-bac00cd4c431-311","2018-03-04T12:21:28.554Z","AM-LOGIN-COMPLETED","de6427e2-4671-9359-aff9-bac00cd4c431-305",,"[""c3f6d35deec82a4031""]","FAILED",,,"[{""moduleId"":""pushAuth"",""info"":{""authIndex"":""service"",""failureReason"":""LOGIN_FAILED"",""ipAddress"":""203.0.113.0"",""authLevel"":""2""}}]","Authentication","/"

You may also see the following error in the Push debug logs:

Received error response: com.amazonaws.services.sns.model.EndpointDisabledException: Endpoint is disabled (Service: AmazonSNS; Status Code: 400; Error Code: EndpointDisabled; Request ID: 1431e de2-94b3-2d50-6e21-bc9c8f3931f7)

The endpoint referred to in this error is the end user's device (for example, mobile) endpoint.

Recent Changes

N/A

Causes

The majority of issues with Push authentication are caused by changes to the end user's device. Common reasons include (although not limited to):

  • The device has been restored from a backup.
  • The relevant app has been reinstalled on the device.
  • The user has disabled push notifications.

These changes result in the end user's device (endpoint) being disabled in AWS.

See Stack Overflow - Getting “EndpointDisabled” from Amazon SNS for information on other causes for the "Endpoint is disabled" error.

Solution

This issue, regardless of the exact cause, can typically be resolved by re-registering the device. This process initiates a search for the endpoint and results in it being re-enabled in AWS. 

You can re-register the device as follows:

  1. Authenticate in order to obtain a session token. The URL changes depending on which version you are using; you must use the actual AM/OpenAM server URL (not lb). For example:
    • AM 5 and later:
      $ curl -X POST -H "X-OpenAM-Username: amadmin" -H "X-OpenAM-Password: cangetinam" -H "Content-Type: application/json" -H "Accept-API-Version: resource=2.0, protocol=1.0" http://host1.example.com:8080/openam/json/realms/root/authenticate
      
    • Pre-AM 5:
      $ curl -X POST -H "X-OpenAM-Username: amadmin" -H "X-OpenAM-Password: cangetinam" -H "Content-Type: application/json" http://host1.example.com:8080/openam/json/authenticate
    Example response:
    { "tokenId": "AQIC5wM2LY4SfcxsuvGEjcsppDSFR8H8DYBSouTtz3m64PI.*AAJTSQACMDIAAlNLABQtNTQwMTU3NzgxODI0NzE3OTIwNAEwNDU2NjE0*", "successUrl": "/openam/console", "realm": "/" } 
    
  2. Remove the device from the user's profile using one of the following curl commands against the actual AM/OpenAM server URL (not lb), where the iPlanetDirectoryPro header (default AM/OpenAM session cookie name) is set to the token returned when you authenticated and myUser in the URL is replaced with the name of the user:
    • AM 5 and later:
      $ curl -X POST -H "Content-Type: application/json" -H "Accept-API-Version: resource=3.0, protocol=1.0" -H "iPlanetDirectoryPro: AQIC5wM2LY4Sfcxs...EwNDU2NjE0*" http://host1.example.com:8080/openam/json/realms/root/users/myUser/devices/push?_action=reset
      
    • Pre-AM 5:
      $ curl -X POST -H "Content-Type: application/json" -H "iPlanetDirectoryPro: AQIC5wM2LY4Sfcxs...EwNDU2NjE0*" http://host1.example.com:8080/openam/json/users/myUser/devices/push?_action=reset
      
  3. Ask the user to re-register their device.

See Also

How do I set up AM/OpenAM Push Notification Service credentials?

How do I use my own AWS SNS Push Service with AM (All versions) and OpenAM 13.5?

Authentication and Single Sign-On Guide › About Push Authentication

Authentication and Single Sign-On Guide › Creating Authentication Chains for Push Authentication

Authentication and Single Sign-On Guide › ForgeRock Authenticator (Push) Registration Authentication Module

Authentication and Single Sign-On Guide › Resetting Registered Devices by using REST

How do I troubleshoot failed Amazon SNS push notification deliveries?

Related Training

N/A

Related Issue Tracker IDs

OPENAM-12043 (Trigger SNS endpoint enablement when a recovery code is used)



Copyright and TrademarksCopyright © 2018 ForgeRock, all rights reserved.
Loading...