Device management
As part of the provisioning process, the PingID Provisioner can add and update the authentication devices associated with each user in PingID.
For general information about devices, see PingID authentication for the web and Managing your devices in the PingID documentation.
Nicknames
PingID assigns nicknames to authentication devices. These nicknames appear in the user interface, such as on the device management page. The PingID Provisioner also uses nicknames to identify the devices it manages.
The following are the "managed" nicknames used by the provisioning connector:
-
Email 1
-
Email 2
-
Email 3
-
SMS Number 1
-
SMS Number 2
-
SMS Number 3
-
Voice Number 1
-
Voice Number 2
-
Voice Number 3
The connector can only manage these nine devices.
Mapping attributes to nicknames
Each of the managed devices can be populated by a matching user attribute on the Attribute Mapping tab of the channel configuration. The matching attributes are prefixed with "MFA", such as "MFA SMS Number 1".
You can map these attributes in the Creating a provisioning connection part of the setup process.
Device management
The PingID Provisioner can compare the device values (the email address or phone number) in PingID against the values in the datastore. The datastore is always considered the source of truth when updating the nine managed devices, but you can choose how the connector handles other devices it finds. Alternately, you can turn off device management and use PingID as the source of truth.
You can configure the connector’s device management behavior using the Manage devices setting in the Creating a provisioning connection part of the setup process.
Setting | Description | ||
---|---|---|---|
Do not manage devices |
PingFederate doesn’t provision or manage any devices in PingID. Users can manage their own devices as shown in Managing your devices in the PingID documentation. |
||
Merge devices |
PingFederate provisions devices to PingOne for Enterprise using the nine managed nicknames. When updating a user, if there is a conflict between the datastore and PingID for one of the managed devices, the datastore takes precedence. PingFederate removes and re-creates the device in PingID with the new value.
The provisioner doesn’t change devices with non-managed nicknames, such as devices added by the user or an administrator. |
||
Overwrite devices |
This behaves the same as Merge devices, except the provisioner removes all devices with non-managed nicknames, such as devices added by the user or an administrator. |
Primary devices
In PingID, each user can have one "primary" device. The user is prompted to authenticate using this device by default.
When creating a new user, the PingID Provisioner can set a primary device automatically. You can customize this behavior with the Primary Device on Create setting in the Creating a provisioning connection part of the setup process.
When updating existing users, the PingID Provisioner doesn’t set or change the primary device.
Setting | Description |
---|---|
Do not manage |
PingID Provisioner can provision devices, but it doesn’t set a primary device. |
MFA Email 1 |
PingID Provisioner sets |
MFA SMS Number 1 |
PingID Provisioner sets |
MFA Voice Number 1 |
PingID Provisioner sets |