In this article, we’ll show you how to create your own SNS messaging service and connect it to Apple Push Notification Service (APNS) and Google Cloud Messaging (GCM). You will:
- Set up AWS SNS
- Create a keypair
- Create a project for GCM services
- Create an SNS messaging service
- Debug the new SNS messaging service
Push messages are a (relatively) easy way to communicate with users via a mobile phone. While similar to SMS messages, they are considered more secure, and are recommended by NIST over classical SMS.
ForgeRock Access Manager (OpenAM) provides push authentication as a secure authentication mechanism to use the fingerprint recognition feature (Touch ID) on mobile phones (iOS and Android). ForgeRock also provides an mobile app which can:
- Register a smartphone for use with push authentication
- Receive push messages and authenticate the user using Touch ID
This app is available on both Apple App store and Google Play. ForgeRock provides a push notification service via Amazon SNS. ForgeRock customers can easily subscribe to this service, which sends push messages from both cloud-based and on-premise AM installations.
Customizing SNS messaging services
The technology of push messages requires that the messaging service know exactly which mobile app the message should be sent to. In iOS, a mobile app is identified by a bundle identifier (bundle ID). It cannot be changed after the developer signs the app and submits it to an app store. As a result, the configuration of the message service must be changed whenever the app is modified and vice versa. This prevents people who do not own or publish the app (such as, the developing company) from sending push messages to a certain app. As an example, think about a potentially hostile entity sending messages to your WhatsApp or LinkedIn app.
If you want to modify the app, you have to use your own AWS SNS service.
If you want to use your own AWS SNS service, you have to modify/recompile app with new bundle ID.
Set up AWS SNS
To setup AWS SNS for ForgeRock Push Authentication, you need:
- A valid AWS account
- An Apple Developer account
- A Google Firebase account
Create a keypair
First, you need to create a public/private keypair that will be uploaded as a .p12 file to AWS. AWS uses this keypair to authenticate against APNS. To generate the keypair, you can use the Keychain app on Mac OS X.
Start at developer.apple.com and log in with your iOS developer account. Select Certificates, IDs, & Profiles.
Step 1a:Create an XCode project, enable push notifications, and choose a new bundle ID. Alternatively, you can check out ForgeRock Authenticator and amend the bundle ID:
The bundle ID should appear in Apple developer console under iOS App IDs.
Step 1b: Create the keypair that AWS will use to access APNS. Add a dev or prod certificate for push notifications, then add certificate for APNS:
The Apple wizard will guide you through the steps to use Keychain to generate a certificate signing request (CSR), submit it to Apple CA via a developer console, then download it and import into Keychain.
In the Apple developer certificates section, the new certificate appears with type Apple Push Services:
From Keychain, you can create a PKCS12 version which has public and private part in one file. This file will be uploaded to your AWS SNS messaging service later:
The page that follows includes the project ID and an API key. You’ll need the API key in the next step to access GCM from the AWS SNS service.
Create an SNS messaging service
Step 2a: Subscribe to SNS. Using the AWS console (aws.amazon.com/console), go to AWS service and select Simple Notification Service (SNS):
Step 2c: Select Choose P12 file. Provide a password to protect this file (remember that this file contains both your private and public keys) and select Load credentials from file. The field containing certificates and the private key should now be auto-populated.
Step 2d: Configure access to GCM accordingly. GCM uses an API key rather than a P12, but this is basically the same approach:
On success, your AWS SNS application appears under Applications with their endpoint.
These endpoints look like arn:aws:sns:eu-west-1:0123456787:app/APNS_SANDBOX/FRDemo and need to be entered on OpenAM’s Push Service configuration.
These endpoints are protected with a client ID/client secret pair to prevent someone from accessing the endpoints in AWS for APNS or GCM. To generate such a pair you need to create a user via AWS console using the IAM service. Make sure you tick the box for programmatic access.
Step 2e Select the Attach existing policies directly area:
Congratulations! You have successfully created your own SNS messaging service, and connected it to APNS and GCM.