PingOne

MFA bypass configuration requirements

To bypass multi-factor authentication (MFA) prompts when managing devices, you must configure at least two adapters in your authentication policy. This is a validation requirement for the Bypass MFA For Device Management Attribute field, to guarantee the user has already completed MFA before reaching the device management step.

Authentication policy requirements

Your authentication policy must:

  • Include at least two adapters:

    1. An authenticating adapter to perform MFA.

    2. A device managing adapter, which must be a PingOne MFA IdP Adapter.

  • Invoke the authenticating adapter before the device managing adapter.

Supported adapter combinations

Use one of the following adapter combinations:

  1. Two PingOne MFA IdP Adapters (preferred combination):

    • Authenticating Adapter: The first PingOne MFA IdP Adapter. This adapter performs MFA using PingOne MFA.

    • Device Managing Adapter: The second PingOne MFA IdP Adapter. This adapter manages devices.

    No additional configuration is necessary. The MFA completion status is handled automatically.

  2. A built-in PingFederate adapter and a PingOne MFA IdP Adapter:

    • Authenticating Adapter: The built-in PingFederate adapter, which must perform MFA or some sort of reassuring authentication.

      The built-in PingFederate adapter must include an extended contract attribute named pingone.mfa.status with a value of com.pingidentity.pingone.mfa_completed_externally.

    • Device Managing Adapter: The PingOne MFA IdP Adapter. This adapter uses the pingone.mfa.status attribute to verify that MFA was completed earlier in the flow.

  3. A custom adapter and a PingOne MFA IdP Adapter:

    • Authenticating Adapter: The custom adapter, which must perform MFA or some sort of reassuring authentication.

      The custom adapter must set an attribute named pingone.mfa.status with a value of com.pingidentity.pingone.mfa_completed_externally.

    • Device Managing Adapter: The PingOne MFA IdP Adapter. This adapter uses the pingone.mfa.status attribute to verify that MFA was completed earlier in the flow.

Using both adapters within policy fragments

If either or both adapters are wrapped inside policy fragments that are used in the main authentication policy, make sure that the authentication policy contract (APC) used as the output of the fragment includes the pingone.mfa.status attribute.

This ensures that the pingone.mfa.status attribute propagates correctly throughout the fragment so the device managing adapter can access it for evaluation.