PingOne MFA Integration Kit 2.4 (August 2024)
Use basic velocity template variables in the PingOne MFA templates
New P14C-57293
Made basic variables that are available in most PingFederate HTML templates available in the PingOne MFA templates.
Pair and authenticate a test device
New P14C-58742
Added the ability to pair a test device when adding a multi-factor authentication method and authenticating with it. A test device causes an OTP to be returned directly in the OTP_REQUIRED
response.
Test devices are supported only when initiating OpenID Connect (OIDC) flow in the authentication API. |
To pair and authenticate with a test device, you must:
-
Add the
pi.testDevice
parameter to the OIDC request with a value ofallow
. -
Sign the request object with your OIDC client credentials.
-
When submitting the device target in the authentication API request, add the
testMode
field to the request with a value oftrue
.This applies to the following action models:
submitEmailTarget
,submitSmsTarget
, orsubmitVoiceTarget
. Learn more in Models, objects, and error codes.
Use dynamic linking to give a unique identifier to a FIDO authentication attempt
New P14C-58753
Added the ability to use a custom challenge when authenticating with FIDO (webAuthn) devices. This enables you to attach meaningful information to the authentication of a FIDO device.
To provide a custom challenge for FIDO authentication, you must:
-
Add the
pi.webAuthn.challenge
parameter to the OIDC request with the custom challenge as the value. -
Sign the request object with your OIDC client credentials.
Rename device during pairing
Improved P14C-52773
Added the ability to give a device a unique nickname during device pairing:
-
Use the PingOne administrative console to configure this setting in the PingOne MFA policy.
-
After you configure the ability to rename devices, users will be presented with a new screen before authentication ends. The user can either enter a nickname and click Done to complete the process, or click Skip if they do not want to give the device a nickname.
-
If you are using the authentication API, a new state (
UPDATE_NICKNAME
) and two new actions (updateDeviceNickname
andskipUpdateDeviceNickname
) are available. Learn more in Models, objects, and error codes.
View remaining OTP attempts in HTML templates and authentication API responses
Improved P14C-57444
Added the ability to view the number of one-time passcode (OTP) attempts remaining after entering an invalid OTP.
-
In authentication API responses, the
attemptsRemaining
field displays this information. -
In HTML templates that require an OTP, the following error message appears:
This passcode is invalid or has expired. You have <number_of_attempts> attempts remaining.
Bypass MFA for device management operations
Improved P14C-60088
Added the ability to bypass MFA when performing device management operations. Be cautious with using this attribute if you only have one adapter in the authentication policy. This results in bypassing MFA in the authentication flow entirely, and can lead to a security breach.
Additionally, the Bypass MFA For Device Pairing Attribute field is now the Bypass MFA For Device Management Attribute field.
Learn more in the PingOne MFA IdP Adapter settings reference.
Overwrite only specific authentication methods
Improved P14C-62072
Added the ability to overwrite only the devices that share a device type with a newly provided device if the adapter identifies new values for SMS, voice or email devices via Update Authentication Methods.
Additionally, the Overwrite Authentication Methods checkbox is now the Overwrite Authentication Methods Configurations list.
There are three Overwrite Authentication Methods Configurations settings:
-
None (default)
-
All (SMS, Voice, and Email)
-
Specific Methods
Learn more in the PingOne MFA IdP Adapter settings reference.
Fixed default method persistence
Fixed P14C-55013
Fixed an issue that caused Overwrite Authentication Methods (now Overwrite Authentication Methods Configurations) to change the default device designation. This was applicable when a new device of the same type as the default device was provided, and the default device was overwritten.
Fixed empty device nickname issue
Fixed P14C-58407
Fixed an issue that caused devices to save with an empty nickname instead of reverting to the default device name. This was applicable in configurations where Allow Users to Manage Authentication Methods was selected, if a user clicked Edit Name but cleared the field.
Fixed an issue with FIDO usernameless authentication flow ignoring the PingOne authentication policy
Fixed P14C-60584
Fixed an issue that caused the adapter to always use the default multi-factor authentication (MFA) policy in FIDO usernameless authentication flow instead of the PingOne MFA policy configured in the PingOne Authentication Policy field.
Fixed device registration limit issue with MFA bypass in the authentication API
Fixed P14C-61122
Fixed an issue that caused users who had already exceeded the device registration limit to proceed several steps into device registration flow before the flow failed instead of presenting the MAXIMUM_ALLOWED_METHODS_LIMIT
error message at the beginning of the flow. This issue was relevant to configurations that had the Bypass MFA for Device Pairing Attribute checkbox (now Bypass MFA For Device Management Attribute) selected.