Push Sender node

Sends push notification messages to a device for multi-factor authentication.

Configure the AM Push Notification Service for the realm before using this node. For information on the properties used by the service, refer to Push Notification Service.

For information on provisioning the credentials used by the service, refer to How To Configure Service Credentials (Push Auth, Docker) in Backstage in the ForgeRock Knowledge Base.

To determine whether the user has a registered device, the flow must have included the username in the shared state, for example, by using a Username Collector node.

Outcomes

Sent
Not Registered
Skipped

Evaluation continues along the Sent outcome path if the push notification was successfully sent to the handling service.

If the user does not have a registered device, evaluation continues along the Not Registered outcome path.

If the user chooses to skip push authentication, evaluation continues along the Skipped outcome path.

Properties

Property Usage

Message Timeout

Specifies the number of milliseconds the push notification message will remain valid. The Push Result Verifier node rejects responses to push messages that have timed out.

User Message

Specifies the optional message to send to the user.

You can provide the message in multiple languages by specifying the locale in the KEY field; for example, en-US.

The locale selected for display is based on the user’s locale settings in their browser.

Messages provided in the node override the defaults provided by AM. For information about customizing and translating the default messages, refer to Internationalization.

The following variables can be used in the VALUE field:

{{user}}: Replaced with the username value of the account registered in the ForgeRock Authenticator application, for example Demo.
{{issuer}}: Replaced with the issuer value of the account registered in the ForgeRock Authenticator application, for example ForgeRock.

Example: Login attempt from {{user}} at {{issuer}}.

Remove 'skip' option

Enable this option in the node to make the push authentication mandatory.

When disabled, the user can skip the push authentication requested by the node, and evaluation continues along the Skipped outcome path.

Default: Disabled

Nodes in authentication trees are not affected by the Two Factor Authentication Mandatory property, available at Realms > Realm Name > Authentication > Settings > General, as it only applies to modules within authentication chains.

Share Context info

If enabled, context data such as remoteIp, userAgent, and location are included in the notification payload.

For example:

{
  "location": {
    "latitude": 49.2208569,
    "longitude": -123.1174431
  },
  "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36",
  "remoteIp": "9.9.9.9"
}

For the location attribute to be set, the flow must contain a Device Profile Collector node with Collect Device Location enabled.

Custom Payload Attributes

Specify shared state objects to be included in the message payload sent to the client. The size of the payload must not exceed 3 Kb or a NodeProcessException is thrown.

To add a custom attribute, enter the shared state object name in the text field and click Add. Repeat for each object you want to include in the payload.

Push Type

Select the type of the push notification that must be processed before the notification is sent.

Possible values are:

Tap to Accept (default): Requires the user to tap to accept.
Display Challenge Code: Requires the user to select one of three numbers displayed on their device. This selected number must match the code displayed in the browser for the request to be verified.
Use Biometrics to Accept: Requires the user’s biometric authentication to process the notification.

Example

The following example shows one possible implementation of multi-factor push authentication:

Node connections

List of node connections
Source node	Outcome path	Target node
Page Node containing: Username Collector, Password Collector	→	Data Store Decision
Data Store Decision	True	Push Sender
Data Store Decision	False	Failure
Push Sender	Sent	Push Wait
Push Sender	Not Registered	MFA Registration Options
Push Wait	Done	Push Result Verifier
Push Wait	Exit	Recovery Code Collector Decision
Push Result Verifier	Success	Success
	Failure	Failure
	Expired	Push Sender
	Waiting	Push Wait
MFA Registration Options	Register	Push Registration
	Get App	Get Authenticator App
	Skip	Success
	Opt-out	Opt-out Multi-Factor Authentication
Recovery Code Collector Decision	True	Success
Recovery Code Collector Decision	False	Retry Limit Decision
Push Registration	Success	Recovery Code Display Node
	Failure	Failure
	Time Out	MFA Registration Options
Get Authenticator App	→	MFA Registration Options
Opt-out Multi-Factor Authentication	→	Success
Retry Limit Decision	Retry	Recovery Code Collector Decision
Retry Limit Decision	Reject	Failure
Recovery Code Display Node	→	Push Sender

After verifying the user’s credentials, evaluation continues to the Push Sender node.

If the user has a registered device:

AM sends a push to their registered device.
The Push Wait node pauses authentication for 5 seconds, during which time the user can respond to the push notification on their device; for example, by using the ForgeRock Authenticator application.
- If the user responds positively, they are authenticated successfully and logged in.
- If the user responds negatively, they are not authenticated successfully and do not receive a session.
- If the push notification expires, AM sends a new push notification.
  
  Use a Retry Limit Decision node to constrain the number of times a new code is sent.
- If the user has not yet responded, the flow loops back a step and the Push Wait node pauses authentication for another 5 seconds.
If the user exits the Push Wait node, they can enter a recovery code in order to authenticate.

For this situation, configure the Exit Message property in the Push Wait node with a message, such as Lost phone? Use a recovery code.

A Retry Limit Decision node allows three attempts at entering a recovery code before failing the authentication.

If the user does not have a registered device:

The MFA Registration Options node presents the user with the following options:

Register Device

The flow continues to the Push Registration node, which displays the QR code that should be scanned with a suitable authenticator application.

Get the App

The flow continues to the Get Authenticator App node, which displays the links needed to obtain a suitable application, such as the ForgeRock Authenticator.

Skip this step

Displayed only if the node configuration lets the user skip. In this example, skipping is linked to the Success outcome. Alternatively, an Inner Tree Evaluator node could have been used for authentication.

Opt-out

Displayed only if the node configuration allows the user to skip or opt out. Evaluation continues to the Opt-out Multi-Factor Authentication node, which updates the user’s profile to skip MFA with push in the future. In this example, after updating the profile the flow continues to the Success node.
The user registers the device with the Push Registration node.

After registration, the recovery codes are displayed to the user for safekeeping, and evaluation continues with the Push Sender node to start push notification.

To manage push devices, the user must log in using either the device or a recovery code.

For more information, refer to Manage devices for MFA.

AM 7.3.1

Push Sender node

Outcomes

Properties

Example