One-Time Passcode Integration Kit

One-Time Passcode IdP Adapter settings reference

Field descriptions for the One-Time Passcode IdP Adapter configuration screen.

Table 1. Standard fields
Field Description

Device Selection

Automatic – The adapter uses the method from the Preferred Delivery Method Attribute or uses the first delivery method that it matches in the Notification Delivery Methods list.

User Choice – The adapter prompts the user to choose the delivery method.

Preferred Delivery Method Attribute

The source attribute that contains the user’s preferred one-time passcode (OTP) delivery method.

If the user has a valid preferred delivery method attribute, it overrides the Automatic and User choice options above.

For example, you enter OTPPreference in this field. You also create a user attribute called OTPPreference in your data store or pass it to this adapter as a chained attribute.

When Alice signs on, the adapter checks her OTPPreference attribute. The value is sms, which matches one of the Language Properties and Template Key entries in the Notification Delivery Methods table. The adapter automatically sends the OTP to Alice by SMS message.

Attribute Source

The source of the attribute in the Preferred Delivery Method Attribute field and the attributes listed in the Contact Attribute column of the Notification Delivery Methods table.

Select a data store, or select Chained Attributes if the adapter receives the attributes from earlier in the authentication flow.

Search String

The string that the adapter uses to search the data store to find the user.

  • For JDBC, enter a "select" statement. For example, select email, phone from <db.table> where username=${userid}.

  • For LDAP, enter an LDAP filter. For example, sAMAccountName=${userid}.

  • For a PingOne for Customers data store, enter the attribute. For example, username=${userid} or id=${userid}s.

  • For REST API data stores, enter the resource path that is appended to the base URL of the REST API data store. For example, /users?uid=${userid}.

The ${userid} variable contains the user ID. Your adapter instance receives this from earlier in your PingFederate authentication flow.

Base DN

The base DN that the adapter uses when connecting to an LDAP data store.

Test User ID

The user ID used to test the configuration on the Actions tab.

Failure Mode

This setting determines whether the adapter should block the user’s sign-on attempt or bypass the OTP requirement when the adapter can’t find the user or contact information in the data store or chained attributes.
Table 2. Advanced fields
Field Description

OTP Length

Length of the one-time password generated by the adapter.

The default value is 6.

Max OTP Attempts

The maximum number of times the user is allowed to try entering the one-time password before authentication fails.

The default value is 3.

Max OTP Resends

The maximum number of times the user is allowed to request a specific one-time password to be sent. After reaching this limit, the Resend button on the passcode entry prompt no longer resends the passcode.

The default value is 15.

Show Success Screens

Determines whether the adapter shows an authentication success screen to the user.

This check box is selected by default.

Show Error Screens

Determines whether the adapter shows an authentication error screen to the user.

This check box is selected by default.

OTP Generator Field

A read-only value used by the adapter.

Do not edit this field.

This field is hidden in PingFederate 10 and later.

LDAP Search Scope

When the attribute source is an LDAP data store, this setting determines the scope of the user search.

Single Level – Searches the immediate children of the base object, but excludes the base object itself.

Include Subtree (default) – Searches all child objects as well as the base object.