Title:
v9.1 IdP prevents Push Notifications from being sent to iPhones
Topic:
We recently discovered an issue with our IdP that prevents Push Notifications from being sent to iPhones, this issue does NOT affect Android.
The Issue: We found that Apple updates the device token on phones, and when changed, our IdP server won’t know where to send the notification. For the end user, they won’t receive this Push Notification and therefore they won’t be able to log into their application. We are currently looking into why the device token changes, under which conditions.
The following features are impacted by this issue:
Option 1: Allow Mobile Device-based Authentication using Network:
Option 2: Enforce Two-Factor Authentication for Windows Logon:
Option 3: Using Phone to log into Service Providers/Applications:
Environment (OS/hardware/software):
SES Server v9.1
All Windows Server OS
All Devices
Workaround:
Until we resolve this issue in the product, if this problem is reported, our teams should recommend the following:
Collect logs from the SD client, ME application, and the IdP Server.
Have the user re-register their iPhone with the ME IdP. This will refresh the device token information in our IdP Server and restore the Push Notification capability.
The Solution:
We are updating our ME application for both iPhone and Android to send back the device token information if it has changed. For now, if a Push Notification doesn’t work, then users will need to open their ME application on their phone to send back and restore this information in our IdP. We are investigating different approaches for this handling, but until then, this is how the ME application will handle this behaviour.
The fix will require users to upgrade their ME application on their phones, as well as admins will need to upgrade their ME IdP server. We are targeting 1.5 weeks for this to be available, and once ready, I will announce it to the teams.