Push registration node not displaying

gpopp · June 28, 2022, 6:55pm

I’ve set up a sandbox environment using the instructions I found here:
https://stash.forgerock.org/projects/PROSERV/repos/platform-compose/browse
I have successfully created a new realm (TestRealm) and modified the out-of-the-box “Login” journey to do multi-factor authorization. I tried to reproduce the journey (still called a tree) I found here:
Push authentication journeys :: ForgeRock Identity Cloud Docs.

Here’s a picture of my journey:

When I attempt to test this, I enter the url for the login journey and fill in the credentials. This takes me to the next page/node where I have 4 choices (register, get the app, skip, opt-out). Choosing “Register Device” does NOT take me to the register node but instead returns me to the main login page again with a 401 response (reason: Unauthorized, message: “Login failure”).

Where have I gone wrong with this journey?

jochen.raymaekers · July 5, 2022, 8:28pm

Hi,

First question, did you configure the PUSH Registration Service itself as mentioned in the documentation section Push Notification Service?

> Push Notification Service

Configures how AM sends push notifications to registered devices, including endpoints, and access credentials.

For information on provisioning the credentials required by the Push Notification Service, see How To Configure Service Credentials (Push Auth, Docker) in Backstage in the ForgeRock Knowledge Base.

For detailed information about the available properties, see Push Notification Service.

gpopp · July 6, 2022, 12:22pm

Thank you Jochen!

I suspected this might be the issue, but I have NOT configured the PUSH Registration Service! The link supplied on the documentation pages (and the link YOU) supplied result in a 403 response for me:

Http failure response for https://backstage.forgerock.com/knowledge-ws/api/v1/library/backstagehelp/article/a92326771/_published?expand=full: 403 OK

jsingh · July 6, 2022, 2:03pm

Hi @gpopp - Push service requires also configuring the Push Services. Without understanding the underlying error messages, it would be slightly hard to provide any feedback. Could you please share the underlying error messages from the var/debug directory.

gpopp · July 6, 2022, 2:30pm

Hi Jsingh,

I have not configured the Push Services (surely this is the problem) because I cannot get to the documentation on how to configure them.
Regarding the var/debug directory, which docker container are you referring to? My sandbox environment has all of these:

 docker ps
CONTAINER ID   IMAGE                                           COMMAND                   CREATED          STATUS          PORTS
                                    NAMES
ba846904c408   nginx                                           "/docker-entrypoint.…"    18 minutes ago   Up 17 minutes   80/tcp, 0.0.0.0:443->443/tcp
                                    nginx.local
31bb1bad60eb   gcr.io/forgerock-io/platform-login-ui:7.1.0     "/docker-entrypoint.…"    18 minutes ago   Up 17 minutes   8080/tcp
                                    loginui.local
5f1fe75bb5ac   gcr.io/forgerock-io/platform-admin-ui:7.1.0     "/docker-entrypoint.…"    18 minutes ago   Up 17 minutes   8080/tcp
                                    adminui.local
e6b09ca1a422   gcr.io/forgerock-io/platform-enduser-ui:7.1.0   "/docker-entrypoint.…"    18 minutes ago   Up 17 minutes   8080/tcp
                                    enduserui.local
f3c8d7d19ea4   bitbucket/am:7.1.0                              "/bin/sh -c \"$FORGER…"   8 days ago       Up 17 minutes   0.0.0.0:8080->8080/tcp
                                    am.local
99e2155b6f2a   bitbucket/ds-cts:7.1.0                          "/opt/opendj/customi…"    8 days ago       Up 17 minutes   1636/tcp, 4444/tcp, 8080/tcp, 8443/tcp, 0.0.0.0:1389->1389/tcp, 8989/tcp   cts.local
19856a0d78ae   bitbucket/ds-idrepo:7.1.0                       "/opt/opendj/customi…"    8 days ago       Up 17 minutes   1636/tcp, 4444/tcp, 8080/tcp, 8443/tcp, 8989/tcp, 0.0.0.0:389->1389/tcp    idrepo.local
3c753f280ff2   bitbucket/idm:7.1.0                             "/opt/openidm/bin/do…"    8 days ago       Up 17 minutes   0.0.0.0:8082->8080/tcp
                                    idm.local
1f314d9cc60f   bitbucket/impexp                                "/opt/amster/docker-…"    8 days ago       Up 17 minutes
                                    impexp.local

I suspect am.local is the one? If so, that container has no /var/debug directory:

docker exec -it am.local ls -alhF /var
total 60K
drwxr-xr-x 1 root root  4.0K Apr 16  2021 ./
drwxr-xr-x 1 root root  4.0K Jun 28 14:22 ../
drwxr-xr-x 2 root root  4.0K Apr 15  2020 backups/
drwxr-xr-x 1 root root  4.0K Apr 23  2021 cache/
drwxr-xr-x 1 root root  4.0K Jun 28 14:20 lib/
drwxrwsr-x 2 root staff 4.0K Apr 15  2020 local/
lrwxrwxrwx 1 root root     9 Apr 16  2021 lock -> /run/lock/
drwxr-xr-x 1 root root  4.0K Apr 23  2021 log/
drwxrwsr-x 2 root mail  4.0K Apr 16  2021 mail/
drwxr-xr-x 2 root root  4.0K Apr 16  2021 opt/
lrwxrwxrwx 1 root root     4 Apr 16  2021 run -> /run/
drwxr-xr-x 2 root root  4.0K Apr 16  2021 spool/
drwxrwxrwt 2 root root  4.0K Apr 16  2021 tmp/

jsingh · July 6, 2022, 2:46pm

If you follow the below article, you will see the instructions require configuring of the Push services.

https://backstage.forgerock.com/docs/am/7.2/authentication-guide/authn-mfa-trees-push.html#proc-authn-mfa-tree-push

There’s also a backstage article that walks you in-detail on how to configure these services. I believe @jochen.raymaekers already highlighted above in his answer. You will require backstage account to access that article.

Also, please note the “Push Service” provided by ForgeRock which you will also see in the above linked backstage document - is a licensed service.

And yes, am.local is the correct container. You will need to find out where in your container the AM configuration is saved and then visit AM Config Dir/var/debug/ to look for log messages.

Jatinder
IAM Solutions Architect
Sqoop Data

gpopp · July 6, 2022, 3:11pm

Thank you! I have an evaluation license account created, but cannot access the knowledge base article regarding configuring of the push services. I receive a 403 error when trying to read it.
One would hope this is a mistake - else, how could a developer evaluate this aspect of the product before buying?

gpopp · July 6, 2022, 3:18pm

Of course, it should be noted, that my evaluation license ALSO does not allow me to create a ticket about this issue.

gpopp · July 6, 2022, 4:06pm

jsingh: I found the location of the /var/debug directory. For anyone else finding this conversation intersting, it is here: /home/forgerock/openam/var/debug/

debug.out contains a rather large dump, but it starts with this:

o.f.o.a.t.e.AuthTreeExecutor: 2022-07-06 16:01:54,781: Thread[http-nio-8080-exec-3]: TransactionId[8fa0776f-e976-4d79-8824-5fbcbb652a28-1415]
WARN: Ignoring the new universal id empty new universal id as universal id id=809b05f1-79bb-43be-8894-b76af829809f,ou=user,o=TestRealm,ou=services,ou=am-config is already set on the context
o.f.o.c.r.a.t.AuthTrees: 2022-07-06 16:01:54,790: Thread[http-nio-8080-exec-3]: TransactionId[8fa0776f-e976-4d79-8824-5fbcbb652a28-1415]
ERROR: Exception in processing the tree
org.forgerock.openam.auth.node.api.NodeProcessException: Unable to read service addresses for Push Notification Service

I think this verifies that my failure to configure the push services is, indeed, the issue. If only I had some way to read how to configure it.