PrivacyIDEA Authenticator 4.0: PUSH does not work in PrivacyIDEA 3.6.2 environment

Question
1

Hi
We have so far had a relatively stable PrivacyIDEA environment running version 3.6.2 (mobile 3.1.5) with PUSH tokens working.
On the new version of the mobile application PrivacyIDEA Authenticator 4.0 we get in the logs error:
“error”: {
“code”: 403,
“message”: “SenderId mismatch”,
“status”: “PERMISSION_DENIED”,
“details”: [
{
@type”: “type.googleapis.com/google.firebase.fcm.v1.FcmError”,
“errorCode”: “SENDER_ID_MISMATCH”
}

But if someone is using older version of mobile application , for example 3.1.5 communication with PUSH works correctly
Can someone help?

2

The firebase config of the Authenticator App 4.0 changed.

I think this was also in the changelog of the App.

Read here:

3

OK, I read it. But I don’t know now what should I change in my configuration, any suggestion ?

4

You are right - this was obviously not quite clear.

With the privacyIDEA Authenticator the own-firebase-concept was dropped for stability reasons. You can find in this forum several comments about this. The Authenticator 4.0 as it comes compiled from the stores now uses a central firebase project. You would need an API/auth key, to communicate to this project.

NetKnights/We decided to only provide access to this firebase project to customers with a valid SLA.

So what can you do without an SLA. Either

  1. use push-poll, i.e. the user will need to open the app to receive (poll) push notifications.
    This requires privacyIDEA Server 3.7.1 and the virtual firebase project “pollonly”
  2. use an old app
  3. modify the firebase project in the app code and compile your own app
5

In regards to 1.)

You do not have to configure any firebase project anymore. In your enrollment policy you would simply choose “push_firebase_configuration”=“poll only”.

image

6

Thank you for your answer. We must check what will be for us the best

7

Hi,

we have encountered the same problem. In my opinion, it is bad style to distribute such a change as an app update without a clear indication of the consequences and to say afterwards that it can only be used by contract customers. First of all, all users who have installed the update are locked out. For Apple users, I think there is no way back to the old app and as I understand it, all existing tokens have to be rolled out again so that it works again.

BR
Markus

8

You are right, it is totally our fault, that we missed to publish a communication for community users.

9

Please read this one privacyIDEA Authenticator 4.0 with Push Poll – privacyID3A

10

Thank you (Cornelinux)
We have done the configuration with Poll (without Firebase) for now. Tokens Push started to work.
A few more questions came up in the new environment that I would appreciate clarification on:

  1. Does Push token protection work in the Poll configuration? - I set the policy on the server (push_firebase_app_pin), but the newly made token is not protected. For OTP it works without any problem
  2. Is it possible to force server-side protection for existing tokens in PrivacyIdea Authenticator 4.0
  3. In PrivacyIdea Authenticator 4.0, when Decline (not Accept) is pressed, is anything sent to PrivacyIdea 3.7.1 server, obviously in Poll configuration?
  4. I’m from Poland and by default after installing PrivacyIdea Authenticator 4.0 the Czech language is enabled - a bit inconvenient for regular users. Is it possible to :
  • make English by default
  • make Polish version, what needs to be done
11

You mean pin/face protection. I think this is currently not in 4.0 and will come with the next versions. It was prepared on the server side.
The app currently protects

I am not sure what you mean. But yes.

No

12

Hello @cornelinux
thank you for all your support :slight_smile:

1 Like