Connectors

PingOne MFA Connector

PingOne MFA is a cloud-based multi-factor authentication (MFA) service that protects an organization’s network, applications, and data resources while providing secure and seamless experiences for your customers and users.

The PingOne MFA connector supports the use of:

  • Customer-friendly authentication flows to increase security without adding unnecessary friction to the end user experience

  • User enrollment flows:

    • Automatically: Allow customers to automatically enroll an authentication method for users during different operations, such as registering the user email or phone number as part of a user provisioning

    • Manually: Allow users to manage their devices and add authentication methods during enrollment

    • One-time device authentication: Include device details within an authentication request. Enables a user to authenticate for one session only, without pairing the device.

  • Usernameless and passwordless sign-on and authentication flows using appropriate, secure authentication methods, such as FIDO biometrics

Setup

Resources

Requirements

To use the connector, you’ll need:

  • A PingOne MFA license (Try PingOne for free)

  • A PingOne MFA environment with a configured Worker app

  • A multi-factor authentication (MFA) policy. See MFA policies.

Setting up PingOne MFA

Setting up your PingOne MFA environment

Follow the instructions in Getting started with PingOne MFA.

Setting up the connector

In DaVinci, add a PingOne MFA connection. For help, see Adding a connector.

Connector settings

Environment ID

Your PingOne Environment ID. In PingOne, go to Settings → Environment Properties.

Policy ID

The unique identifier for the device authentication policy. You can define MFA policies and reference them as part of the connector setup. See MFA policies.

Client ID

The Client ID for your PingOne Worker application. In PingOne, go to Applications → Applications → Configuration.

Client Secret

The Client Secret for your PingOne Worker application. In PingOne, go to Applications → Applications → Configuration.

Region

Your PingOne environment region. In PingOne, go to Settings → Environment Properties.

Using the connector in a flow

Enrolling a device

To enable users and increase MFA adoption, use the PingOne MFA connector to include a device enrollment as part of user registration or as a just-in-time (JIT) registration within an authentication flow.

The user can select an authentication method for MFA from a list of methods defined by your organization’s policy. This list can include traditional methods, such as email and SMS, and more secure and frictionless methods, such as FIDO2 biometrics and a native mobile SDK.

You can define device enrollment as either mandatory or optional.

You can choose to enable MFA automatically when device enrollment completes so that the next time the user authenticates, the device is available for them to use to authenticate.

Search the Flow Library for the following out-of-the-box PingOne MFA device enrollment templates:

  • PingOne - Registration and MFA Enrollment

    This flow must include the PingOne - Device Registration sub-flow to provide on-the-fly device enrollment for users during registration.

  • PingOne - Registration and MFA Auto-Enrollment

    In this flow, the Admin selects which devices to enroll for the user.

For help, see the Creating an authentication flow guide.

Authenticating users

Use the PingOne MFA connector to increase security by adding an authentication factor that requires the user to prove their identity using a trusted device.

Search the Flow Library for the following out-of-the-box PingOne MFA authentication templates:

  • PingOne - Sign on and MFA

    This flow must include the PingOne - Device Registration sub-flow to provide on-the-fly device enrollment for users during registration.

  • PingOne - Sign on and Adaptive MFA

    This flow must include the following sub-flows:

    • PingOne - Device Registration sub-flow to provide on-the-fly enrollment for users that have not yet registered a device

    • PingOne - MFA Authentication sub-flow

  • PingOne - One-time use device authentication

    Indicate whether a paired device is used, or specify a device explicitly for one-time authentication.

For help, see the Creating an authentication flow guide.

Configuring passwordless authentication

Use the PingOne MFA connector to enhance your end user’s login experience and increase security by adding passwordless authentication using standard methods such as SMS, OTP, biometric authentication, and QR code scanning. The end user must enable biometric authentication on their machine and enroll it for use with PingOne MFA to benefit from frictionless biometric login, removing the need to enter a password each time they sign on.

You can use the PingOne MFA connector to design the following types of passwordless authentication flows:

  • PingOne Usernameless sign-on with biometrics

    User authenticates by scanning their compatible FIDO authenticator, without requiring a username or password.

  • PingOne - Passwordless authentication

    User enters a username and uses any compatible device to authenticate. If the user device is not yet registered, they must verify the device using a one-time passcode (OTP) sent to the email or mobile number (using one-time use device authentication). After successfully verifying the device they can register it for passwordess authentication.

  • PingOne - Passwordless sign-on with biometrics

    User enters their username and either provides their existing password, or uses their device biometrics to authenticate.

  • PingOne - QR code passwordless sign-on

    User signs on by scanning a QR code using a mobile application, with no need to input any other information.

    This flow requires a custom mobile app that uses the PingOne MFA mobile SDK.

In order to get the benefits of frictionless biometric login instead of having to enter their user credentials each time they sign on, end users must enable biometric authentication on their device and enroll it for use with PingOne MFA.

You can find sample passwordless authentication flows in the Flow Library.For help, see the Creating an authentication flow guide.

Capabilities

Read Device

Read information for a device associated with a user.

Show details
Properties
User ID textField

The unique identifier for the user.

Device ID textField

The unique identifier for the MFA device.

Input Schema
default object
userId string required minLength: 0 maxLength: 100
deviceId string required minLength: 0 maxLength: 100
Output Schema
output object
rawResponse object
properties object
id string
type string
status string
nickname string
phone string
extension string
email string
secret string
keyUri string
oathToken string
serialNumber string
rp object
properties object
id string
name string
platform string
publicKeyCredentialCreationOptions string
attributes object
properties object
previousDeviceType string
isCrossPlatform boolean
displayName string
createdAt string
updatedAt string
headers object
statusCode integer
device object
properties object
id string
type string
status string
nickname string
phone string
extension string
email string
secret string
keyUri string
oathToken string
serialNumber string
rp object
properties object
id string
name string
platform string
publicKeyCredentialCreationOptions string
attributes object
properties object
previousDeviceType string
isCrossPlatform boolean
displayName string
createdAt string
updatedAt string

Read All Devices

Read information for all user devices

Show details
Properties
User ID textField

The unique identifier for the user.

Filters toggleSwitch

Filter devices by activation status and device type.

Status dropDown

non-active devices are not usable during an authentication.

  • ALL (Default)

  • ACTIVE

  • ACTIVATION REQUIRED

Device Types dropDownMultiSelect

  • Email

  • SMS

  • Voice

  • Authenticator App

  • Mobile Applications

  • Fido2 Biometrics

  • Security Key

Input Schema
default object
userId string required minLength: 0 maxLength: 100
setFilterFlag boolean
statusFilter string
deviceTypes array uniqueItems: true
items array
type string
maxLength maxLength: 255
Output Schema
output object
rawResponse object
properties object
_embedded object
properties object
devices array
items array
type object
properties object
properties object
id string
type string
status string
nickname string
phone string
extension string
email string
secret string
keyUri string
oathToken string
serialNumber string
rp object
properties object
id string
name string
platform string
publicKeyCredentialCreationOptions string
attributes object
properties object
previousDeviceType string
isCrossPlatform boolean
displayName string
createdAt string
updatedAt string
applications array
items array
type object
properties
allowedtypes array
items array
type string
order array
properties array
id string
mfaSettings object
properties object
environment object
properties object
id string
pairing object
properties object
maxAllowedDevices integer
mfaPolicy object
properties object
authentication object
properties object
deviceSelection string
size number
headers object
statusCode integer
devices array
items array
type object
properties object
properties object
id string
type string
status string
nickname string
phone string
extension string
email string
secret string
keyUri string
oathToken string
serialNumber string
rp object
properties object
id string
name string
platform string
publicKeyCredentialCreationOptions string
attributes object
properties object
previousDeviceType string
isCrossPlatform boolean
displayName string
createdAt string
updatedAt string
allowedtypes array
items array
type string
applications array
items array
type object
properties
mfaSettings object
properties object
environment object
properties object
id string
pairing object
properties object
maxAllowedDevices integer
mfaPolicy object
properties object
authentication object
properties object
deviceSelection string
order array
properties array
id string

Create Device

Create devices to use during authentication.

Show details
Properties
User ID textField

The unique identifier for the user.

Device Type dropDown

The type of device used during authentication.

  • Email

  • SMS

  • Voice

  • Authenticator App

  • Mobile Applications

  • Fido2 Biometrics

  • Security Key

  • Enter Device Type

Enter Device Type textField
Activation Status dropDown

The current status of the device. If a device has an ACTIVATION_REQUIRED status, activate it before you add it as a trusted device.

  • ACTIVE

  • ACTIVATION REQUIRED

Phone Number textField

The phone number to associate with the device. Applies only to devices that use SMS and Voice SMS messages during authentication.

Extension textField

The phone extension for this device. It can include digits, comma, # and *. If there is more than one extension then a comma should separate the extension and the nested extension.

Email textField

The email address to associate with the device. Applies only to devices that use email during authentication.

Device Nickname textField

A nickname that identifies this device. The device nickname is limited to 100 characters.

Relying Party ID textField

If you define a Relying Party ID (RPID) here, it overrides the RPID defined in the FIDO policy in the PingOne admin console.

Relying Party Name textField

A string that specifies the relying party’s human-readable display name.

Notification Policy dropDown

A unique identifier for the policy.

  • Enter Notification Policy ID

Notification Policy ID textField
Notification Name dropDown

The name of a custom notification defined in PingOne. If the form you want is not listed, select Enter Custom Value.

  • Enter Custom Value

Custom Value textField

You can enter a custom template name, or leave blank to use the default template. You can also enter a parameter from a previous connector, or any text.

Notification Locale textField

Add a locale to allow localized notifications for end-users. ISO Language Codes are supported.

Notification Variables variableInputList

If Custom variables are defined in the notification body, map them here.

User Agent textField

Browser user agent

Custom FIDO2 Challenge textField

Applicable for FIDO2 pairing requests. Specify a custom challenge that will replace the automatically generated challenge sent with the pairing request. Must be a valid Base64URL string that decodes to at least 32 bytes of data array.

Test Mode textField

Create device for test purposes only

Input Schema
default object
userId string required minLength: 0 maxLength: 100
deviceType string required
customDeviceType null/string/object
status string required
nickname string
phone string
extension string
email string
rpId string

Relying Party ID

rpName string

Relying Party Name

notificationPolicyId string minLength: 0 maxLength: 100
customNotificationPolicyId null/string/object
templateVariant null/string
customTemplateVariant null/string/object
templateLocale null/string
templateVariables array
items array
type object
properties
userAgent string

User Agent

challenge string

Custom FIDO2 Challenge

createDeviceTestMode string

Create Test Device

oneTimeDeviceTestMode string

Create Test Device

Output Schema
output object
rawResponse object
properties object
id string
type string
status string
nickname string
phone string
extension string
email string
secret string
keyUri string
oathToken string
serialNumber string
rp object
properties object
id string
name string
platform string
publicKeyCredentialCreationOptions string
attributes object
properties object
previousDeviceType string
isCrossPlatform boolean
displayName string
createdAt string
updatedAt string
test object
properties object
otp string
headers object
statusCode integer
device object
properties object
id string
type string
status string
nickname string
phone string
extension string
email string
secret string
keyUri string
oathToken string
serialNumber string
rp object
properties object
id string
name string
platform string
publicKeyCredentialCreationOptions string
attributes object
properties object
previousDeviceType string
isCrossPlatform boolean
displayName string
createdAt string
updatedAt string

Activate Device

Activate devices for the first time.

Show details
Properties
User ID textField

The unique identifier for the user.

Device ID textField

The unique identifier for the MFA device.

One-time Passcode textField

The one-time passcode (OTP) sent to the user.

Attestation textField

A read-only string that specifies the public key and signed challenge used to complete registration and device activation. The attestation is generated by the browser as a response to a specific user action, such as a fingerprint scan or tap on a security key.

Origin textField

The address of the server sending the initial registration challenge to the device.

Input Schema
default object
userId string required minLength: 0 maxLength: 100
deviceId string required minLength: 0 maxLength: 100
otp string

Passcode

attestation string

WebAuthn assertion

origin string

Origin

Output Schema
output object
rawResponse object
properties object
id string
type string
status string
nickname string
phone string
extension string
email string
secret string
keyUri string
oathToken string
serialNumber string
rp object
properties object
id string
name string
platform string
publicKeyCredentialCreationOptions string
attributes object
properties object
previousDeviceType string
isCrossPlatform boolean
displayName string
createdAt string
updatedAt string
headers object
statusCode integer
device object
properties object
id string
type string
status string
nickname string
phone string
extension string
email string
secret string
keyUri string
oathToken string
serialNumber string
rp object
properties object
id string
name string
platform string
publicKeyCredentialCreationOptions string
attributes object
properties object
previousDeviceType string
isCrossPlatform boolean
displayName string
createdAt string
updatedAt string

Delete Device

Delete devices.

Show details
Properties
User ID textField

The unique identifier for the user.

Device ID textField

The unique identifier for the MFA device.

Input Schema
default object
userId string required minLength: 0 maxLength: 100
deviceId string required minLength: 0 maxLength: 100
Output Schema
output object
rawResponse object
headers object
statusCode integer

Resend OTP for Pairing

If user did not receive the one-time passcode (OTP) that was sent for pairing a device, you can resend the OTP.

Show details
Properties
User ID textField

The unique identifier for the user.

Device ID textField

The unique identifier for the MFA device.

Input Schema
default object
userId string required minLength: 0 maxLength: 100
deviceId string required minLength: 0 maxLength: 100
Output Schema
output object
rawResponse object
properties object
id string
type string
status string
nickname string
phone string
extension string
email string
secret string
keyUri string
oathToken string
serialNumber string
rp object
properties object
id string
name string
platform string
publicKeyCredentialCreationOptions string
attributes object
properties object
previousDeviceType string
isCrossPlatform boolean
displayName string
createdAt string
updatedAt string
headers object
statusCode integer

Update Device Nickname

Update device nicknames.

Show details
Properties
User ID textField

The unique identifier for the user.

Device ID textField

The unique identifier for the MFA device.

Device Nickname textField

A nickname that identifies this device. The device nickname is limited to 100 characters.

Input Schema
default object
userId string required minLength: 0 maxLength: 100
deviceId string required minLength: 0 maxLength: 100
nickname string required

Device nickname

Output Schema
output object
rawResponse object
headers object
statusCode integer
nickname string

Read MFA Status

Indicates whether MFA is enabled for the user.

Show details
Properties
User ID textField

The unique identifier for the user.

Input Schema
default object
userId string required minLength: 0 maxLength: 100
Output Schema
output object
rawResponse object
headers object
statusCode integer
mfaEnabled boolean

Update MFA Status

Enables or disables MFA for the user.

Show details
Properties
User ID textField

The unique identifier for the user.

Enable User MFA toggleSwitch

Enable or disable user MFA.

Input Schema
default object
userId string required minLength: 0 maxLength: 100
mfaEnabled boolean required

MFA Enable Status Of User

Output Schema
output object
rawResponse object
headers object
statusCode integer
mfaEnabled boolean

Read Device Authentication Policy

Read PingOne MFA device authentication policies.

Show details
Properties
Device Authentication Policy dropDown

A unique identifier for the policy.

  • Enter Device Authentication Policy ID

Device Authentication Policy ID textField required
Input Schema
default object
deviceAuthenticationPolicyId string required minLength: 0 maxLength: 100
customDeviceAuthenticationPolicyId null/string/object
Output Schema
output object
rawResponse object
properties object
id string
name string
forSignOnPolicy boolean
default boolean
sms object
properties object
enabled boolean
otp object
properties object
failure object
properties object
count integer
coolDown object
properties object
duration integer
timeUnit string
lifeTime object
properties object
duration integer
timeUnit string
email object
properties object
enabled boolean
otp object
properties object
failure object
properties object
count integer
coolDown object
properties object
duration integer
timeUnit string
lifeTime object
properties object
duration integer
timeUnit string
voice object
properties object
enabled boolean
otp object
properties object
failure object
properties object
count integer
coolDown object
properties object
duration integer
timeUnit string
lifeTime object
properties object
duration integer
timeUnit string
mobile object
properties object
enabled boolean
otp object
properties object
failure object
properties object
count integer
coolDown object
properties object
duration integer
timeUnit string
window object
properties object
stepSize object
properties object
duration integer
timeUnit string
totp object
properties object
enabled boolean
otp object
properties object
failure object
properties object
count integer
coolDown object
properties object
duration integer
timeUnit string
platform object
properties object
enabled boolean
securityKey object
properties object
enabled boolean
createdAt string
updatedAt string
headers object
statusCode integer
deviceAuthenticationPolicy object
properties object
id string
name string
forSignOnPolicy boolean
default boolean
sms object
properties object
enabled boolean
otp object
properties object
failure object
properties object
count integer
coolDown object
properties object
duration integer
timeUnit string
lifeTime object
properties object
duration integer
timeUnit string
email object
properties object
enabled boolean
otp object
properties object
failure object
properties object
count integer
coolDown object
properties object
duration integer
timeUnit string
lifeTime object
properties object
duration integer
timeUnit string
voice object
properties object
enabled boolean
otp object
properties object
failure object
properties object
count integer
coolDown object
properties object
duration integer
timeUnit string
lifeTime object
properties object
duration integer
timeUnit string
mobile object
properties object
enabled boolean
otp object
properties object
failure object
properties object
count integer
coolDown object
properties object
duration integer
timeUnit string
window object
properties object
stepSize object
properties object
duration integer
timeUnit string
totp object
properties object
enabled boolean
otp object
properties object
failure object
properties object
count integer
coolDown object
properties object
duration integer
timeUnit string
platform object
properties object
enabled boolean
securityKey object
properties object
enabled boolean
createdAt string
updatedAt string

Create Device Authentication

Create authentication experiences with virtual or physical devices.

Show details
Properties
User ID Not Required toggleSwitch

Indicates whether the user id is required or obtained from the authentication method used.

User ID textField

The unique identifier for the user.

MFA Policy ID textField

The ID of your PingOne MFA device authentication policy.

User Agent textField

Browser user agent

Device Details dropDown

Indicates whether to use the user’s default authentication method or to provide a specific authentication method.

  • ID

  • One-Time Device

Device ID textField

The selected device id

Device Type textField

The one-time device type

SMS Phone Number textField

The phone number to associate with the one-time SMS device.

Voice Phone Number textField

The phone number to associate with the one-time Voice device.

Email textField

The email address to associate with the one-time device.

Test Mode textField

Create device for test purposes only

Notification Type dropDown

Indicates whether the notification is intended for a user authentication flow or a device authorization flow.

  • Strong Authentication

  • Transaction

Notification Policy dropDown

A unique identifier for the policy.

  • Enter Notification Policy ID

Notification Policy ID textField
Notification Name dropDown

The name of a custom notification defined in PingOne. If the form you want is not listed, select Enter Custom Value.

  • Enter Custom Value

Custom Value textField

You can enter a custom template name, or leave blank to use the default template. You can also enter a parameter from a previous connector, or any text.

Notification Locale textField

Add a locale to allow localized notifications for end-users. ISO Language Codes are supported.

Notification Variables variableInputList

If Custom variables are defined in the notification body, map them here.

Mobile Payload textField

A signed challenge generated by PingOne MFA mobile SDK.

Application dropDown

The unique identifier of the native application which initiated the authentication flow.

  • Enter Application ID

Application ID textField
Mobile Client Context variableInputList

Additional attributes that can be passed to the mobile application during the authentication.

Relying Party ID textField

If you define a Relying Party ID (RPID) here, it overrides the RPID defined in the FIDO policy in the PingOne admin console.

Custom FIDO2 Challenge textField

Applicable for FIDO2 authentication requests. Specify a custom challenge that will replace the automatically generated challenge sent with the authentication request. Must be a valid Base64URL string that decodes to at least 32 bytes of data array.

One-time Passcode textField

The one-time passcode (OTP) of the device used to authenticate. If the Device ID is not provided, the OTP is validated against all the applicable devices.

Input Schema
default object
userId string required minLength: 0 maxLength: 100
mfaPolicyId string minLength: 0 maxLength: 100
authTemplateName null/string
notificationPolicyId string minLength: 0 maxLength: 100
customNotificationPolicyId null/string/object
templateVariant null/string
customTemplateVariant null/string/object
templateLocale null/string
templateVariables array
items array
type object
properties
mobilePayload null/string

Mobile Payload

applicationId string minLength: 0 maxLength: 100

Application ID

customApplicationId null/string/object
clientContext array

Mobile Client Context

items array
type object
properties
userAgent string

User Agent

rpId string

Relying Party ID

deviceAuthenRpId string

Relying Party ID

challenge string

Custom FIDO2 Challenge

createDeviceTestMode string

Create Test Device

oneTimeDeviceTestMode string

Create Test Device

usernameLess boolean

User ID Not Required

selectedDevice null/string
selectedDeviceId null/string
oneTimeDeviceType null/string
oneTimeSmsDevice null/string
oneTimeVoiceDevice null/string
oneTimeEmailDevice null/string
otp string

Passcode

Output Schema
output object
rawResponse object
properties object
id string
user object
properties object
id string
environment object
properties object
id string
policy object
properties object
id string
selectedDevice object
properties object
id string
application object
properties object
id string
status string
authenticators array
items array
type string
publicKeyCredentialRequestOptions string
_links object
_embedded object
properties object
devices array
items array
type object
properties object
properties object
id string
type string
status string
nickname string
phone string
extension string
email string
secret string
keyUri string
oathToken string
serialNumber string
rp object
properties object
id string
name string
platform string
publicKeyCredentialCreationOptions string
attributes object
properties object
previousDeviceType string
isCrossPlatform boolean
displayName string
createdAt string
updatedAt string
test object
properties object
otp string
headers object
statusCode integer

Read Device Authentication

Read device authentication information.

Show details
Properties
Device Authentication ID textField

The unique identifier for the MFA Device Authentication.

Input Schema
default object
deviceAuthenticationId string required minLength: 0 maxLength: 100

Device Authentication ID

Output Schema
output object
rawResponse object
properties object
id string
user object
properties object
id string
environment object
properties object
id string
policy object
properties object
id string
selectedDevice object
properties object
id string
application object
properties object
id string
status string
authenticators array
items array
type string
publicKeyCredentialRequestOptions string
_links object
_embedded object
properties object
devices array
items array
type object
properties object
properties object
id string
type string
status string
nickname string
phone string
extension string
email string
secret string
keyUri string
oathToken string
serialNumber string
rp object
properties object
id string
name string
platform string
publicKeyCredentialCreationOptions string
attributes object
properties object
previousDeviceType string
isCrossPlatform boolean
displayName string
createdAt string
updatedAt string
headers object
statusCode integer

Device Selection

Enables users to choose the way they authenticate if more than one option is available.

Show details
Properties
Device Authentication ID textField

The unique identifier for the MFA Device Authentication.

Device ID textField

The unique identifier for the MFA device.

WebAuthn Browser Compatibility textField
Input Schema
default object
deviceId string required minLength: 0 maxLength: 100
deviceAuthenticationId string required minLength: 0 maxLength: 100

Device Authentication ID

compatibility null/string

WebAuthn Compatibility

Output Schema
output object
rawResponse object
properties object
id string
user object
properties object
id string
environment object
properties object
id string
policy object
properties object
id string
selectedDevice object
properties object
id string
application object
properties object
id string
status string
authenticators array
items array
type string
publicKeyCredentialRequestOptions string
_links object
_embedded object
properties object
devices array
items array
type object
properties object
properties object
id string
type string
status string
nickname string
phone string
extension string
email string
secret string
keyUri string
oathToken string
serialNumber string
rp object
properties object
id string
name string
platform string
publicKeyCredentialCreationOptions string
attributes object
properties object
previousDeviceType string
isCrossPlatform boolean
displayName string
createdAt string
updatedAt string
headers object
statusCode integer

Device Passcode

Ensures that device one-time passcodes (OTPs) are valid.

Show details
Properties
Device Authentication ID textField

The unique identifier for the MFA Device Authentication.

One-time Passcode textField

The one-time passcode (OTP) sent to the user.

Input Schema
default object
otp string required

Passcode

deviceAuthenticationId string required minLength: 0 maxLength: 100

Device Authentication ID

Output Schema
output object
rawResponse object
properties object
id string
user object
properties object
id string
environment object
properties object
id string
policy object
properties object
id string
selectedDevice object
properties object
id string
application object
properties object
id string
status string
authenticators array
items array
type string
publicKeyCredentialRequestOptions string
_links object
_embedded object
properties object
devices array
items array
type object
properties object
properties object
id string
type string
status string
nickname string
phone string
extension string
email string
secret string
keyUri string
oathToken string
serialNumber string
rp object
properties object
id string
name string
platform string
publicKeyCredentialCreationOptions string
attributes object
properties object
previousDeviceType string
isCrossPlatform boolean
displayName string
createdAt string
updatedAt string
headers object
statusCode integer

FIDO Assertion

Ensures that assertions provided to authenticate devices are valid.

Show details
Properties
Device Authentication ID textField

The unique identifier for the MFA Device Authentication.

Assertion textField

A string that specifies the authenticator assertion response. The string contains the signed challenge needed to complete the MFA authentication.

Origin textField

The address of the server sending the initial registration challenge to the device.

WebAuthn Browser Compatibility textField
Input Schema
default object
assertion string required

WebAuthn assertion

origin string required

Origin

deviceAuthenticationId string required minLength: 0 maxLength: 100

Device Authentication ID

Output Schema
output object
rawResponse object
properties object
id string
user object
properties object
id string
environment object
properties object
id string
policy object
properties object
id string
selectedDevice object
properties object
id string
application object
properties object
id string
status string
authenticators array
items array
type string
publicKeyCredentialRequestOptions string
_links object
_embedded object
properties object
devices array
items array
type object
properties object
properties object
id string
type string
status string
nickname string
phone string
extension string
email string
secret string
keyUri string
oathToken string
serialNumber string
rp object
properties object
id string
name string
platform string
publicKeyCredentialCreationOptions string
attributes object
properties object
previousDeviceType string
isCrossPlatform boolean
displayName string
createdAt string
updatedAt string
headers object
statusCode integer

Read Pairing Key

Read pairing key information associated with users.

Show details
Properties
User ID textField

The unique identifier for the user.

Pairing Key ID textField

The unique identifier for the pairing key.

Input Schema
default object
userId string required minLength: 0 maxLength: 100
pairingKeyId string required minLength: 0 maxLength: 100

Pairing Key ID

Output Schema
output object
rawResponse object
properties object
id string
code string
status string
error object
properties object
code string
message string
createdAt string
updatedAt string
expiresAt string
headers object
statusCode integer

Create Pairing Key

Create pairing keys that can be used by native mobile applications to create trust with PingOne MFA.

Show details
Properties
User ID textField

The unique identifier for the user.

Applications dropDownMultiSelect

Select the application(s) that can be used with this pairing key. Leave this list empty to allow all available native applications in the environment to be used.

Input Schema
default object
userId string required minLength: 0 maxLength: 100
applicationIds null/array
Output Schema
output object
rawResponse object
properties object
id string
code string
status string
error object
properties object
code string
message string
createdAt string
updatedAt string
expiresAt string
headers object
statusCode integer

Delete Pairing Key

Delete unclaimed pairing keys.

Show details
Properties
User ID textField

The unique identifier for the user.

Pairing Key ID textField

The unique identifier for the pairing key.

Input Schema
default object
userId string required minLength: 0 maxLength: 100
pairingKeyId string required minLength: 0 maxLength: 100

Pairing Key ID

Output Schema
output object
rawResponse object
headers object
statusCode integer

Create Authentication Code

Create a single-use code to authenticate a user during sign-on using a mobile application. You can embed this code in a scannable QR code, or require that the user manually enter it to sign on.

Show details
Properties
Application dropDown

The unique identifier for the mobile application used to authenticate a user.

  • Enter Application ID

Application ID textField required
Duration textField

The period of time that the authentication code is valid, which can be anywhere from 10 seconds to 30 minutes.

Time Unit dropDown required

The units of time used to indicate the authentication code duration.

  • SECONDS (Default)

  • MINUTES

User Approval dropDown

Specify whether the user will need to approve the authentication after they scan the authentication code using a mobile application.

  • REQUIRED (Default)

  • NOT_REQUIRED

Mobile Client Context variableInputList

Additional attributes that can be passed to the mobile application during the authentication.

Input Schema
default object
authenticatingApplicationId string required minLength: 0 maxLength: 100

Application ID

customAuthenticatingApplicationId null/string/object
duration string required

Duration in seconds

timeUnit string
userApproval string required
clientContext array

Mobile Client Context

items array
type object
properties
Output Schema
output object
rawResponse object
properties object
id string
code string
uri string
status string
userApproval string
user object
properties object
id string
lifeTime object
properties object
duration integer
timeUnit string
clientContext object
_embedded object
properties object
device object
properties object
id string
os object
properties object
version string
type string
model object
properties object
name string
marketingName string
application object
properties object
nativeName string
version string
error object
properties object
code string
message string
createdAt string
updatedAt string
expiresAt string
headers object
statusCode integer
authenticationCode object
properties object
id string
code string
uri string
status string
userApproval string
user object
properties object
id string
lifeTime object
properties object
duration integer
timeUnit string
clientContext object
_embedded object
properties object
device object
properties object
id string
os object
properties object
version string
type string
model object
properties object
name string
marketingName string
application object
properties object
nativeName string
version string
error object
properties object
code string
message string
createdAt string
updatedAt string
expiresAt string

Read Authentication Code

Read the authentication code.

Show details
Properties
Authentication Code ID textField

The unique identifier for the authentication code.

Input Schema
default object
authenticationCodeId string required minLength: 0 maxLength: 100

Authentication Code ID

Output Schema
output object
rawResponse object
properties object
id string
code string
uri string
status string
userApproval string
user object
properties object
id string
lifeTime object
properties object
duration integer
timeUnit string
clientContext object
_embedded object
properties object
device object
properties object
id string
os object
properties object
version string
type string
model object
properties object
name string
marketingName string
application object
properties object
nativeName string
version string
error object
properties object
code string
message string
createdAt string
updatedAt string
expiresAt string
headers object
statusCode integer
authenticationCode object
properties object
id string
code string
uri string
status string
userApproval string
user object
properties object
id string
lifeTime object
properties object
duration integer
timeUnit string
clientContext object
_embedded object
properties object
device object
properties object
id string
os object
properties object
version string
type string
model object
properties object
name string
marketingName string
application object
properties object
nativeName string
version string
error object
properties object
code string
message string
createdAt string
updatedAt string
expiresAt string

Set Device Order

Setting the device order explicitly orders a user’s existing active devices

Show details
Properties
User ID textField

The unique identifier for the user.

Set Device Order dropDown

Select how to set the device order

  • Set default device

  • Set device order

Device ID textField

Enter the device ID of the device which should be set as the default device.

Input attributes as JSON? toggleSwitch
Set Device Order multipleTextFields

Enter the device IDs in the order that the devices should be listed for the user.

Attributes codeEditor

An array of objects that determines the explicit order of a user’s devices. The first device listed becomes the default device. This property is used as a body parameter to set the order of existing devices.

Default:

{
  "order": [
    {
         "id": "{{deviceID}}"
    },
    {
         "id": "{{deviceID2}}"
    }
  ]
}
Input Schema
default object
userId string required minLength: 0 maxLength: 100
setDeviceOrder string
defaultDeviceId string minLength: 0 maxLength: 100
useDeviceOrderJsonAttributes boolean
deviceOrderList array
items array
type object
jsonAttributes null/string/object
Output Schema
output object
rawResponse object
properties object
_embedded object
properties object
devices array
items array
type object
properties object
properties object
id string
type string
status string
nickname string
phone string
extension string
email string
secret string
keyUri string
oathToken string
serialNumber string
rp object
properties object
id string
name string
platform string
publicKeyCredentialCreationOptions string
attributes object
properties object
previousDeviceType string
isCrossPlatform boolean
displayName string
createdAt string
updatedAt string
applications array
items array
type object
properties
allowedtypes array
items array
type string
order array
properties array
id string
mfaSettings object
properties object
environment object
properties object
id string
pairing object
properties object
maxAllowedDevices integer
mfaPolicy object
properties object
authentication object
properties object
deviceSelection string
size number
headers object
statusCode integer
devices array
items array
type object
properties object
properties object
id string
type string
status string
nickname string
phone string
extension string
email string
secret string
keyUri string
oathToken string
serialNumber string
rp object
properties object
id string
name string
platform string
publicKeyCredentialCreationOptions string
attributes object
properties object
previousDeviceType string
isCrossPlatform boolean
displayName string
createdAt string
updatedAt string
order array
properties array
id string

Cancel Device Authentication

Cancel the authentication process for a specific device.

Show details
Properties
Device Authentication ID textField

The unique identifier for the MFA Device Authentication.

Reason For Cancellation textField

The reason that the authentication was canceled. Possible values are SIGNOUT, CHANGE_DEVICE, ADD_DEVICE. Any other reason will get the value - DEFAULT.

Input Schema
default object
reason string

Reason

deviceAuthenticationId string required minLength: 0 maxLength: 100

Device Authentication ID

Output Schema
output object
rawResponse object
properties object
id string
user object
properties object
id string
environment object
properties object
id string
policy object
properties object
id string
selectedDevice object
properties object
id string
application object
properties object
id string
status string
authenticators array
items array
type string
publicKeyCredentialRequestOptions string
_links object
_embedded object
properties object
devices array
items array
type object
properties object
properties object
id string
type string
status string
nickname string
phone string
extension string
email string
secret string
keyUri string
oathToken string
serialNumber string
rp object
properties object
id string
name string
platform string
publicKeyCredentialCreationOptions string
attributes object
properties object
previousDeviceType string
isCrossPlatform boolean
displayName string
createdAt string
updatedAt string
headers object
statusCode integer

Create Device

Create devices to use during authentication.

Show details
Properties
User ID textField

The unique identifier for the user.

Device Type textField

The type of device used during authentication. Supported values are: SMS, EMAIL, VOICE, TOTP, YUBIKEY, OATH_TOKEN, PLATFORM, SECURITY_KEY, FIDO2.

Activation Status dropDown

The current status of the device. If a device has an ACTIVATION_REQUIRED status, activate it before you add it as a trusted device.

  • ACTIVE

  • ACTIVATION REQUIRED

Phone Number textField

The phone number to associate with the device. Applies only to devices that use SMS and Voice SMS messages during authentication.

Email textField

The email address to associate with the device. Applies only to devices that use email during authentication.

Device Nickname textField

A nickname that identifies this device. The device nickname is limited to 100 characters.

Relying Party ID textField

If you define a Relying Party ID (RPID) here, it overrides the RPID defined in the FIDO policy in the PingOne admin console.

Relying Party Name textField

A string that specifies the relying party’s human-readable display name.

YubiKey textField

The one-time passcode used to authenticate the YubiKey.

Serial Number textField

The unique identifier for the OAuth token.

User Agent textField

Browser user agent

Input Schema
default object
userId string required minLength: 0 maxLength: 100
workforceDeviceType string required
status string required
nickname string
phone string
email string
rpId string

Relying Party ID

rpName string

Relying Party Name

userAgent string

User Agent

Output Schema
output object
rawResponse object
properties object
id string
type string
status string
nickname string
phone string
extension string
email string
secret string
keyUri string
oathToken string
serialNumber string
rp object
properties object
id string
name string
platform string
publicKeyCredentialCreationOptions string
attributes object
properties object
previousDeviceType string
isCrossPlatform boolean
displayName string
createdAt string
updatedAt string
test object
properties object
otp string
headers object
statusCode integer
device object
properties object
id string
type string
status string
nickname string
phone string
extension string
email string
secret string
keyUri string
oathToken string
serialNumber string
rp object
properties object
id string
name string
platform string
publicKeyCredentialCreationOptions string
attributes object
properties object
previousDeviceType string
isCrossPlatform boolean
displayName string
createdAt string
updatedAt string

Create Device Authentication

Create authentication experiences with virtual or physical devices.

Show details
Properties
User ID Not Required toggleSwitch

Indicates whether the user id is required or obtained from the authentication method used.

User ID textField

The unique identifier for the user.

MFA Policy ID textField

The ID of the PingID policy evaluation.

User Agent textField

Browser user agent

Device Details dropDown

Indicates whether to use the user’s default authentication method or to provide a specific authentication method.

  • ID

  • One-Time Device

Device ID textField

The selected device id

Device Type textField

The one-time device type

SMS Phone Number textField

The phone number to associate with the one-time SMS device.

Voice Phone Number textField

The phone number to associate with the one-time Voice device.

Email textField

The email address to associate with the one-time device.

Notification Type dropDown

Indicates whether the notification is intended for a user authentication flow or a device authorization flow.

  • Strong Authentication

  • Transaction

Relying Party ID textField

If you define a Relying Party ID (RPID) here, it overrides the RPID defined in the FIDO policy in the PingOne admin console.

WebAuthn Browser Compatibility textField
Custom FIDO2 Challenge textField

Applicable for FIDO2 authentication requests. Specify a custom challenge that will replace the automatically generated challenge sent with the authentication request. Must be a valid Base64URL string that decodes to at least 32 bytes of data array.

FIDO Compatibility textField

A string that specifies the FIDO Authenticators that are allowed to be used. Options are FULL (compatible with FIDO2, platform biometrics, and security key) and NONE (not compatible with FIDO).

One-time Passcode textField

The one-time passcode (OTP) of the device used to authenticate. If the Device ID is not provided, the OTP is validated against all the applicable devices.

Input Schema
default object
userId string required minLength: 0 maxLength: 100
workforcePolicyMfaPolicyId string minLength: 0 maxLength: 100
authTemplateName null/string
userAgent string

User Agent

rpId string

Relying Party ID

deviceAuthenRpId string

Relying Party ID

createDeviceTestMode string

Create Test Device

oneTimeDeviceTestMode string

Create Test Device

usernameLess boolean

User ID Not Required

selectedDevice null/string
selectedDeviceId null/string
oneTimeDeviceType null/string
oneTimeSmsDevice null/string
oneTimeVoiceDevice null/string
oneTimeEmailDevice null/string
challenge string

Custom FIDO2 Challenge

fidoCompatibility null/string

WebAuthn Compatibility

compatibility null/string

WebAuthn Compatibility

otp string

Passcode

Output Schema
output object
rawResponse object
properties object
id string
user object
properties object
id string
environment object
properties object
id string
policy object
properties object
id string
selectedDevice object
properties object
id string
application object
properties object
id string
status string
authenticators array
items array
type string
publicKeyCredentialRequestOptions string
_links object
_embedded object
properties object
devices array
items array
type object
properties object
properties object
id string
type string
status string
nickname string
phone string
extension string
email string
secret string
keyUri string
oathToken string
serialNumber string
rp object
properties object
id string
name string
platform string
publicKeyCredentialCreationOptions string
attributes object
properties object
previousDeviceType string
isCrossPlatform boolean
displayName string
createdAt string
updatedAt string
test object
properties object
otp string
headers object
statusCode integer

Create Pairing Key

Create pairing keys that can be used by the PingID mobile app to create trust with PingID.

Show details
Properties
User ID textField

The unique identifier for the user.

Input Schema
default object
userId string required minLength: 0 maxLength: 100
Output Schema
output object
rawResponse object
properties object
id string
code string
status string
error object
properties object
code string
message string
createdAt string
updatedAt string
expiresAt string
headers object
statusCode integer

Read All Devices

Read information for all user devices

Show details
Properties
User ID textField

The unique identifier for the user.

Filters toggleSwitch

Filter devices by activation status and device type.

Status dropDown

non-active devices are not usable during an authentication.

  • ALL (Default)

  • ACTIVE

  • ACTIVATION REQUIRED

Device Types dropDownMultiSelect

  • Email

  • SMS

  • Voice

  • Authenticator App

  • Fido2 Biometrics

  • Security Key

  • Oath token

  • YubiKey

  • Desktop app

  • PingID Mobile app

Input Schema
default object
userId string required minLength: 0 maxLength: 100
setFilterFlag boolean
statusFilter string
workforceDeviceTypes array uniqueItems: true
items array
type string
maxLength maxLength: 255
Output Schema
output object
rawResponse object
properties object
_embedded object
properties object
devices array
items array
type object
properties object
properties object
id string
type string
status string
nickname string
phone string
extension string
email string
secret string
keyUri string
oathToken string
serialNumber string
rp object
properties object
id string
name string
platform string
publicKeyCredentialCreationOptions string
attributes object
properties object
previousDeviceType string
isCrossPlatform boolean
displayName string
createdAt string
updatedAt string
applications array
items array
type object
properties
allowedtypes array
items array
type string
order array
properties array
id string
mfaSettings object
properties object
environment object
properties object
id string
pairing object
properties object
maxAllowedDevices integer
mfaPolicy object
properties object
authentication object
properties object
deviceSelection string
size number
headers object
statusCode integer
devices array
items array
type object
properties object
properties object
id string
type string
status string
nickname string
phone string
extension string
email string
secret string
keyUri string
oathToken string
serialNumber string
rp object
properties object
id string
name string
platform string
publicKeyCredentialCreationOptions string
attributes object
properties object
previousDeviceType string
isCrossPlatform boolean
displayName string
createdAt string
updatedAt string
allowedtypes array
items array
type string
applications array
items array
type object
properties
mfaSettings object
properties object
environment object
properties object
id string
pairing object
properties object
maxAllowedDevices integer
mfaPolicy object
properties object
authentication object
properties object
deviceSelection string
order array
properties array
id string