Microsoft EAM Integration Kit

Configuring the downstream adapter to export amr as an additional attribute

Configure the downstream adapter you’re planning to use as the MFA factor to export amr as an additional attribute.

In the following example, the PingID adapter is the downstream adapter.

Steps

  1. In the PingFederate administrative console, open the PingID adapter configuration and go to the Extended Contract tab.

  2. In the Extend the Contract field, enter amr. Click Add.

  3. Go to the Adapter Contract Mapping tab and click Configure Adapter Contract.

  4. Convert PingID-specific amr values into Microsoft Entra ID-specific amr values:

    1. Go to the Adapter Contract Fulfillment tab.

    2. Find amr in the Contract column.

    3. In the corresponding Source list, select Expression.

    4. In the corresponding Value field, enter the following OGNL expression:

      #xref = #{
"FIDO2":"fido",
"FIDO2_BIOMETRICS":"fido",
"BYPASS":"bypass",
"MOBILE_APP_BIOMETRICS":"bio",
"MOBILE_APP_SWIPE":"swk",
"NUMBER_MATCHING":"swk",
"MOBILE_APP_OTP":"otp",
"POLICY_APPROVE":"pop",
"EMAIL":"otp",
"SMS":"sms",
"VOICE":"tel",
"YUBIKEY":"hwk",
"OATH_TOKEN":"hwk",
"AUTHENTICATOR_APP":"otp",
"DESKTOP_OTP":"otp",
"SECURITY_KEY":"fido" },
#action = #this.get("pingid.authentication.type").toString(),
#result = (#action != null) && (#xref[#action] != null) ? #xref[#action] : "no_mapping",
#result

  5. Click Done.

Next steps

Configure PingFederate to use the Microsoft EAM IdP Adapter.