3.1.9. Push Token

The push token uses the privacyIDEA Authenticator app. You can get it from Google Play Store or Apple App Store.

The token type push sends a cryptographic challenge via the Google Firebase service to the smartphone of the user. This push notification is displayed on the smartphone of the user with a text that tells the user that he or somebody else requests to login to a service. The user can simply accept this request. The smartphone sends a cryptographically signed response to the privacyIDEA server and the login request gets marked as confirmed in the privacyIDEA server. The application checks for this mark and logs the user in automatically. For an example of how the components in a typical deployment of push tokens interact reference the following diagram.

rectangle "On Prem" {
  card SAML {
    node "Service Provider" as SP
    node "Identity Provider" as IDP
  }
  card "1st Factor" {
    database LDAP
  }
  card "2nd Factor" {
    node privacyIDEA as PI
    file "User Resolver" as Users
  }
}

together {
  actor User
  node iPhone
  node Client
}

cloud Cloud {
  node Firebase
  node APN
}

User ~~> iPhone
User ~~> Client

Client -- SP
SP -- IDP
SP ..> Client : Require Auth

Client --> IDP : Request Auth
IDP -- LDAP
IDP -- PI

PI -- Users

PI --> Firebase : Push Token
Firebase --> APN
APN --> iPhone
iPhone --> PI : Confirm Token

A typical push token deployment

To allow privacyIDEA to send push notifications, a Firebase service needs to be configured. To do so see Firebase Provider.

The PUSH token implements the outofband mode.

3.1.9.1. Configuration

The minimum necessary configuration is an enrollment policy push_firebase_configuration.

With the authentication policies push_text_on_mobile and push_title_on_mobile you can define the contents of the push notification.

If you want to use push tokens with legacy applications that are not yet set up to be compatible with out-of-band tokens, you can set the authentication policy push_wait. Please note, that setting this policy can interfere with other tokentypes and will impact performance, as detailed in the documentation for push_wait.

3.1.9.2. Enrollment

The enrollment of the push token happens in two steps.

3.1.9.2.1. Step 1

The user scans a QR code. This QR code contains the basic information for the push token and a enrollment URL, to which the smartphone should respond in the enrollment process.

The smartphone stores this data and creates a new key pair.

3.1.9.2.2. Step 2

The smartphone sends its Firebase ID, the public key of the keypair, the serial number and an enrollment credential back to the enrollment URL of the privacyIDEA server.

The server responds with it’s public key for this token.

3.1.9.3. Authentication

3.1.9.3.1. Triggering the challenge

The authentication request is triggered by an application just the same like for any challenge response tokens either with the PIN to the endpoint /validate/check or via the endpoint /validate/triggerchallenge.

privacyIDEA sends a cryptographic challenge with a signature to the Firebase service. The firebase service sends the notification to the smartphone, which can verify the signature using the public key from enrollment step 2.

3.1.9.3.2. Accepting login

The user can now accept the login by tapping on the push notification. The smartphone sends the signed challenge back to the authentication URL of the privacyIDEA server. The privacyIDEA server verifies the response and marks this authentication request as successfully answered.

In some cases the push notification does not reach the smartphone. Since version 3.4 the smartphone can also poll for active challenges.

3.1.9.3.3. Login to application

The application can check with the orignial transaction ID with the privacyIDEA server, if the challenge has been successfully answered and automatically login the user.

3.1.9.4. More information

For a more detailed insight see the code documentation for the Push Token.

For an in depth view of the protocol see the github issue and the wiki page.

Information on the polling mechanism can be found in the corresponding wiki page.

For recent information and a setup guide, visit the community blog