Advanced Identity Cloud

Push Registration node

Provides a way to register a device, such as a mobile phone for multi-factor authentication using push notifications.

For more information, refer to MFA: Authenticate using push notification.

The node requires the username of the identity to update; for example, by using a Platform Username node.

You can use the Combined MFA Registration node to register a device for use with both push notifications and one-time password (OATH) verification in a single step.

You must also configure the Push Notification Service.

For information on provisioning the credentials required by the Push Notification Service, refer to How To Configure Service Credentials (Push Auth, Docker) in Backstage in the ForgeRock Knowledge Base.

Compatibility

Product Compatible?

Advanced Identity Cloud

Yes

PingAM (self-managed)

Yes

Ping Identity Platform (self-managed)

Yes

Authenticators

The push-related nodes integrate with the ForgeRock Authenticator app for Android and iOS.

Third-party authenticator apps are not compatible with ForgeRock’s push notification functionality.

Outcomes

  • Success

  • Failure

  • Time Out

If the user successfully registers their authenticator, evaluation continues along the Success outcome path.

If the node does not receive a response from the user’s device within the time specified in the node configuration, evaluation continues along the Time Out outcome path.

If AM encounters an issue when attempting to register using a device, evaluation continues along the Failure outcome path.

Properties

Property Usage

Issuer

Specify an identifier so that the user knows which service their account relates to.

The value is displayed by the authenticator application:

The icons represent supported authentication factors supported.

For example, Example Inc. or the name of your application.

Account Name

Specifies the profile attribute to display as the username in the authenticator application.

If not specified, or if the specified profile attribute is empty, their username is used.

Registration Response Timeout

Specify the number of seconds to wait for a response from the authenticator.

If the specified time is reached, evaluation continues along the Time Out outcome path.

Background Color

Specifies the background color, in hex notation, to display behind the issuer’s logo within the ForgeRock Authenticator application.

Logo Image URL

Specifies the location of an image to download and display as the issuer’s logo in the ForgeRock Authenticator application.

Generate Recovery Codes

Specify whether push-specific recovery codes should be generated. If enabled, recovery codes are generated and stored in transient state if registration was successful.

Use the Recovery Code Display node to display the codes to the user for safe keeping.

Generating recovery codes overwrites all existing push-specific recovery codes.

Only the most recent set of recovery codes can be used for authentication if a device has been lost or stolen.

QR code message

The message with instructions to scan the QR code to register the device.

Click Add. Enter the message locale in the Key field; for example, en-gb. Enter the message to display to the user in the Value field.

Example

Refer to the Push authentication example journey for how to use the Push Registration node in a journey handling push devices.