The PingID connector supports the use of:

  • Customer-friendly authentication flows to increase security without adding unnecessary friction to the end user experience.
  • User enrollment flows:
    • Automatically: Allow customers to automatically enroll an authentication method for users during the authentication process.
    • One-time device authentication: Include device details within an authentication request. Enables a user to authenticate for one session only, without pairing the device.

Setup

Resources

Requirements

To use the connector, you'll need:

Setting up PingID

For instructions on how to setup PingID, see the PingID documentation

Setting up the connector

In DaVinci, add a PingID connector. For help, see Adding a connector.

Connector settings

Environment ID
Your PingOne Environment ID. In PingOne, go to Settings > Environment Properties.
Client ID
The Client ID for your PingOne Worker application. In PingOne, go to your application Applications > Applications > Configuration.
Client Secret
The Client Secret for your PingOne Worker application. In PingOne, go to your application Applications > Applications > Configuration.
Region
Your PingOne environment region. In PingOne, go to Settings > Environment Properties.

Using the connector in a flow

Enrolling a device

To seamlessly add MFA for your users and increase MFA adoption, use the PingID connector. You can include device enrollment as part of user registration, or as a just-in-time (JIT) registration within an authentication flow.

The user can select an authentication method for MFA from a list of methods defined by the PingID configuration. This list can include traditional methods, such as email and SMS, and more secure and frictionless methods, such as FIDO2 biometrics and PingID mobile app.

For help, see the Creating an authentication flow guide.

Authenticating users

Use the PingID connector to increase security by adding an authentication factor that requires the user to prove their identity using a trusted device.

For help, see the Creating an authentication flow guide.

PingID flow templates

Ping Identity provides out-of-the-box DaVinci subflows that you can add to a main flow to register authentication devices and to use those devices to authenticate with PingID.

The following PingID flows are available:
  • PingID registration sub-flow
    Use this subflow to register a new authentication method for use with PingID.
    Note: The variable pingIdUserId represents the ID attribute from PingOne and must be provided when triggering the flow.
  • PingID authentication sub-flow
    Use this subflow to add PingID as a secondary authentication factor to a main flow, as part of an authentication process.
    • Customize PingID authentication sub-flow variables.
      Click the Variables node to customize any of the following options:
      • AdminMessage: The administrative message you want to display during authentication.
      • SMSBackup: Use the user's mobile number as a backup authentication method, so they can receive a one-time passcode by SMS, if the user forgets their registered authentication device.
      • phoneBackup: Use the user's mobile number as a backup authentication method, to receive a one-time passcode by voice message, if the user forgets their registered authentication device.
      • emailBackup: Use the user's email address as a backup authentication method, to receive a one-time passcode by email, if the user forgets their registered authentication device.
      • useCode: When set to true, the user can click a Use Code button to enter an OTP, rather than waiting for a push notification to arrive.
      • OTP Fallback: When set to true, user's can authenticate with a one-time passcode in the event that the PingID server cannot reach their device, or the push response cannot be completed.
    • Define a list of mandatory authentication devices
      You can define a list of mandatory authentication methods. If defined, users are forced to register all of the required authentication methods in order to access their resources.
      1. In the relevant PingID authentication subflow, click the Flow Settings node.
      2. In the Variable Name field, select mandatoryAuthenticationMethods, and then enter the authentication methods that the user must register with their account. Valid authentication methods include:
        • PINGID_DESKTOP
        • PINGID_MOBILE
        • SMS
        • VOICE
        • EMAIL
        • TOTP
        • SECURITY_KEY
        • PLATFORM
        • YUBIKEY
        • OATH_TOKEN
        Note: This field is empty by default. Authentication methods must be entered in upper case, with a space between each entry. If no authentication method is defined, the user is not required to pair a specfic device.
        Example:
        SMS VOICE EMAIL
        The next time the user attempts to authenticate, even if they have one of the mandatory methods paired with their account, they are forced to register all of the authentication methods specified in the mandatoryAuthenticationMethods list, before they can access their resources.
        Mandatory Devices information window, listing all of the devices that the user must pair in order to access their resources. Devices that are already paired with their account display a green checkmark and the word "Paired" next to the entry
    Note:
    • This flow requires the PingID - registration welcome page flow. The variable pingIDUserId must be provided when triggering the flow.
    • The following PingID Connector variables override the equivalent values in the PingID admin console Configuration tab:
      PingID connector variable PingID admin console location
      SMSBackup, phoneBackup, emailBackup Alternate Authentication Methods, Backup Authentication (SMS, Voice, or Email checkbox).
      OTP Fallback Mobile App Authentication, One-time Passcode Fallback
      useCode Mobile App Authentication, Direct Passcode Usage
Note: It is recommended that you review the PingID connector limitations section.
Search for the relevant flow in the DaVinci flow library.