--- title: Remember Me authentication policy configuration examples description: Review use cases incorporating the Remember Me adapters into a PingFederate authentication policy. component: pingone page_id: pingone:pingone_mfa_integration_kit:pf-p1-mfa-ik-authn-policy-configs canonical_url: https://docs.pingidentity.com/integrations/pingone/pingone_mfa_integration_kit/pf-p1-mfa-ik-authn-policy-configs.html revdate: February 26, 2026 section_ids: best-practices: Best Practices single-mfa-adapter-flow-use-case-skip-1fa-and-mfa: Single MFA Adapter Flow Use Case (Skip 1FA and MFA) multiple-mfa-adapters-use-case-skip-1fa-and-mfa: Multiple MFA Adapters Use Case (Skip 1FA and MFA) force-1fa-use-case-skip-mfa-only: Force 1FA Use Case (Skip MFA Only) --- # Remember Me authentication policy configuration examples Review example use cases and best practices for adding the PingOne MFA Remember Me Verifier Adapter and PingOne MFA Remember Me Manager Adapter into a PingFederate authentication policy. ## Best Practices * The authentication policy's order of operation specifies which authentication steps to skip if the PingOne MFA Remember Me Verifier Adapter detects a trusted device. You can find specific examples in the following use cases. * Place the PingOne MFA Remember Me Manager Adapter at the end of the authentication flow, just before reaching any policy contracts, to make sure it can create Remember Me devices only after a successful authentication flow. * Failures in the PingOne MFA Remember Me Verifier Adapter and PingOne MFA Remember Me Manager Adapter should default back to the normal MFA flow. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can configure a Remember Me experience without including the PingOne MFA IdP Adapter in your authentication policy, but Ping Identity currently recommends including it to avoid unexpected behavior.To configure Remember Me without the PingOne MFA IdP Adapter, you must make sure the PingOne MFA Remember Me Verifier Adapter and PingOne MFA Remember Me Manager Adapter configurations use a **MFA Policy for Remember Me** that enables the ability to remember users during authentication. | ## Single MFA Adapter Flow Use Case (Skip 1FA and MFA) If the device is trusted, skip both the first and multi-factor authentication. This example uses the HTML Form Adapter as the first authentication factor, and the PingOne MFA IdP Adapter as the second authentication factor. > **Collapse: Policy structure** > > 1. In the PingFederate admin console, go to **Authentication > Policies > Policies**. > > 2. Select the **IdP Authentication Policies** checkbox. > > 3. Open an existing authentication policy, or click **Add Policy**. > > Learn more in [Defining authentication policies](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_defining_auth_policies.html) in the PingFederate documentation. > > 4. In the **Policy** section, in the **Select** list, select a PingOne MFA Remember Me Verifier Adapter instance. > > 5. Configure the authentication paths for the PingOne MFA Remember Me Verifier Adapter: > > 1. In the **Success** path, select the authentication policy contract to execute at the end of a successful MFA flow. > > This step allows the user to skip 1FA and MFA if their device is trusted. > > 2. In the **Fail** path, configure the first authenticator factor as the next step. > > 6. Configure the authenticator paths for the first authentication factor: > > 1. In the **Success** path, select a PingOne MFA IdP Adapter instance. > > 2. In the **Fail** path, select **Done**. > > 7. Configure the authenticator paths for the second authentication factor: > > 1. In the **Success** path, select a PingOne MFA Remember Me Manager Adapter instance. > > 2. In the **Fail** path, select **Done**. > > 8. Configure the authenticator paths for the PingOne MFA Remember Me Manager Adapter: > > 1. In the **Success** path, select the authentication policy contract to execute at the end of a successful MFA flow. > > 2. In the **Fail** path, select the authentication policy contract to execute at the end of a successful MFA flow. > > The failure result is the same as the success result in this step because the normal MFA flow should be followed if a device isn't going to be remembered. > > 9. Map the username to the PingOne MFA Remember Me Manager Adapter adapter from a previous adapter: > > 1. Under the PingOne MFA Remember Me Manager Adapter instance, click **Options**. > > 2. On the **Incoming User ID** page, in the **Source** list, select a previous adapter in the authentication flow that can pass the username value. > > 3. In the **Attribute** list, select **username**. > > 4. Select the **User ID Authenticated** checkbox. > > | | | > | - | ------------------------------------------------------------------------------------------------------------------------- | > | | The PingOne MFA Remember Me Manager Adapter doesn't work if it doesn't get the username value from the previous adapters. | > > 10. Click **Done**. ![Screen capture demonstrating an authentication policy flow that skips 1FA and MFA when using a single MFA adapter.](_images/skip-1fa-2fa.png) ## Multiple MFA Adapters Use Case (Skip 1FA and MFA) If the device is trusted, skip all authentication steps, even with multiple MFA adapters configured. This example uses the HTML Form Adapter as the first authentication factor, a PingOne MFA IdP Adapter instance as the second authentication factor, and another PingOne MFA IdP Adapter instance as the third authentication factor. > **Collapse: Policy structure** > > 1. In the PingFederate admin console, go to **Authentication > Policies > Policies**. > > 2. Select the **IdP Authentication Policies** checkbox. > > 3. Open an existing authentication policy, or click **Add Policy**. > > Learn more in [Defining authentication policies](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_defining_auth_policies.html) in the PingFederate documentation. > > 4. In the **Policy** section, in the **Select** list, select a PingOne MFA Remember Me Verifier Adapter instance. > > 5. Configure the authentication paths for the PingOne MFA Remember Me Verifier Adapter: > > 1. In the **Success** path, select the authentication policy contract to execute at the end of a successful MFA flow. > > This step allows the user to skip 1FA and MFA if their device is trusted. > > 2. In the **Fail** path, configure the first authenticator factor as the next step. > > 6. Configure the authenticator paths for the first authentication factor: > > 1. In the **Success** path, select the first PingOne MFA IdP Adapter instance. > > 2. In the **Fail** path, select **Done**. > > 7. Configure the authenticator paths for the second authentication factor: > > 1. In the **Success** path, select the second PingOne MFA IdP Adapter instance. > > 2. In the **Fail** path, select **Done**. > > 8. Configure the authenticator paths for the third authentication factor: > > 1. In the **Success** path, select a PingOne MFA Remember Me Manager Adapter instance. > > 2. In the **Fail** path, select **Done**. > > 9. Configure the authenticator paths for the PingOne MFA Remember Me Manager Adapter: > > 1. In the **Success** path, select the authentication policy contract to execute at the end of a successful MFA flow. > > 2. In the **Fail** path, select the authentication policy contract to execute at the end of a successful MFA flow. > > The failure result is the same as the success result in this step because the normal MFA flow should be followed if a device isn't going to be remembered. > > 10. Map the username to the PingOne MFA Remember Me Manager Adapter adapter from a previous adapter: > > 1. Under the PingOne MFA Remember Me Manager Adapter instance, click **Options**. > > 2. On the **Incoming User ID** page, in the **Source** list, select a previous adapter in the authentication flow that can pass the username value. > > 3. In the **Attribute** list, select **username**. > > 4. Select the **User ID Authenticated** checkbox. > > | | | > | - | ------------------------------------------------------------------------------------------------------------------------- | > | | The PingOne MFA Remember Me Manager Adapter doesn't work if it doesn't get the username value from the previous adapters. | > > 11. Click **Done**. ![Screen capture demonstrating an authentication policy flow that skips 1FA and MFA when using two MFA adapters.](_images/skip-1fa-2fa-3fa.png) ## Force 1FA Use Case (Skip MFA Only) If the device is trusted, always perform 1FA, but skip MFA. This example uses the HTML Form Adapter as the first authentication factor, and the PingOne MFA IdP Adapter as the second authentication factor. > **Collapse: Policy structure** > > 1. In the PingFederate admin console, go to **Authentication > Policies > Policies**. > > 2. Select the **IdP Authentication Policies** checkbox. > > 3. Open an existing authentication policy, or click **Add Policy**. > > Learn more in [Defining authentication policies](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_defining_auth_policies.html) in the PingFederate documentation. > > 4. In the **Policy** section, in the **Select** list, select an HTML Form Adapter instance. > > 5. Configure the authentication paths for the first authentication factor: > > 1. In the **Success** path, select a PingOne MFA Remember Me Verifier Adapter instance. > > 2. In the **Fail** path, select **Done**. > > 6. Configure the authenticator paths for the PingOne MFA Remember Me Verifier Adapter: > > 1. In the **Success** path, select the authentication policy contract to execute at the end of a successful MFA flow. > > This step allows the user to skip 1FA and MFA if their device is trusted. > > 2. In the **Fail** path, select a PingOne MFA IdP Adapter instance. > > 7. Configure the authenticator paths for the second authentication factor: > > 1. In the **Success** path, select a PingOne MFA Remember Me Manager Adapter instance. > > 2. In the **Fail** path, select **Done**. > > 8. Configure the authenticator paths for the PingOne MFA Remember Me Manager Adapter: > > 1. In the **Success** path, select the authentication policy contract to execute at the end of a successful MFA flow. > > 2. In the **Fail** path, select the authentication policy contract to execute at the end of a successful MFA flow. > > The failure result is the same as the success result in this step because the normal MFA flow should be followed if a device isn't going to be remembered. > > 9. Map the username to the Remember Me Verifier and Manager adapters from previous adapters: > > 1. Under the PingOne MFA Remember Me Verifier Adapter instance, click **Options**. > > 2. On the **Incoming User ID** page, in the **Source** list, select the first authentication factor. > > 3. In the **Attribute** list, select **username**. > > 4. Select the **User ID Authenticated** checkbox. > > 5. Repeat step 9 for the PingOne MFA Remember Me Manager Adapter, selecting any previous adapter in the authentication flow that can pass the username value. > > | | | > | - | ------------------------------------------------------------------------------------------------------------------------- | > | | The PingOne MFA Remember Me Manager Adapter doesn't work if it doesn't get the username value from the previous adapters. | > > 10. Click **Done**. ![Screen capture demonstrating an authentication policy flow that forces 1FA but skips MFA.](_images/force-1fa.png)