PingOne

Remembered devices setup

Configure the ability to create and verify a remembered device based on the user’s accessing browser after they complete a successful MFA attempt. This enables users to skip authentication steps during future attempts if they access applications from the same computer and browser.

Remember Me capabilities include:

  • Allowing users to select whether their accessing browser should be remembered for future authentication attempts.

    To maintain security, Remember Me functionality should only be used on private devices or browsers. Make sure the Remember Me template warns users not to enable this feature on a public or shared device.

  • Specifying which authentication steps users with remembered devices can skip.

  • Configuring how long devices are remembered for.

    This setting is accessible in the PingOne MFA policy.

  • Invalidating trusted devices after performing single logout (SLO), but not after closing the browser.

    Device trust is tied to PingOne, it isn’t stored locally.

The Remember Me experience isn’t compatible with the pf-js-widget.

Components

PingOne MFA Remember Me Verifier Adapter

(Included in the pf-pingone-mfa-adapter-<version>.jar file)

  • Calls the Check Remember Me Device PingOne API to verify if the sign-on device is trusted.

  • Handles cleanup after SLO, deleting the remembered device in PingOne and deleting any set cookies.

Possible outcomes
Status

SUCCESS or FAILURE.

AttributeMap

username (only if the status is SUCCESS).

PingOne MFA Remember Me Manager Adapter

(Included in the pf-pingone-mfa-adapter-<version>.jar file)

  • Asks for the user’s consent in a new page (Remember This Device?) or state (REMEMBER_ME_USER_CONSENT_REQUIRED).

  • Calls the Create Remember Me Device PingOne API to register the device, if the user gives consent and completes the full authentication flow successfully.

  • Sets cookies.

Possible Outcomes
Status

SUCCESS or FAILURE.

AttributeMap

username and pingone.mfa.remember.me.device.creation.status (only if the status is SUCCESS).

Possible pingone.mfa.remember.me.device.creation.status values

  • com.pingidentity.pingone.device_not_created_user_declined: Set if a user clicked Don’t Remember when prompted to allow the adapter to remember their device.

  • com.pingidentity.pingone.device_created: Set if the user clicked Remember Device when prompted to allow the adapter to remember their device, and completed the full MFA flow successfully.

  • com.pingidentity.pingone.device_not_created_user_opted_do_not_ask_again: Set if a user clicked Don’t ask again on this device when prompted to allow the adapter to remember their device.

  • com.pingidentity.pingone.device_not_created_mfa_not_completed: Set if the user clicked Remember Device when prompted to allow the adapter to remember their device, but didn’t complete the full MFA flow. For example, if the user bypassed MFA.

  • com.pingidentity.pingone.device_not_created_policy_disallows_remember_me: Set if the user clicked Remember Device when prompted to allow the adapter to remember their device, but Remember Me isn’t configured in the PingOne MFA policy.

Set-Cookie header
Cookie details

  • pf_remembermeadapter_rememberme_token: A persistent cookie that contains a remember me token, and is set after remembered device creation. This cookie preserves the remembered device cookie and includes it in requests made to the PingOne API when verifying if the user is on a remembered device. Persists until SLO is performed or the browser deletes the cookie because of max-age expiry.

  • pf_remembermeadapter_remembered_subject: A persistent cookie that contains a base64-encoded username associated with the current browser, and is set after remembered device creation. This cookie preserves the username associated with the curent browser and includes it in requests made to the PingOne API when verifying if the user is on a remembered device. Persists until SLO is performed or the browser deletes the cookie because of max-age expiry.

    This cookie is always set, but it’s used only when the incoming chained attributes don’t include a username already.

  • pf_remembermeadapter_user_consent_donotaskagain: A persistent cookie that contains a flag indicating the user’s choice on the don’t show again option included in the user consent template, and is set after the user chooses Don’t ask again on this device on the user consent page. Persists for one year.

Sample .html spinner template

  • Generates and submits the signals-sdk payload that’s necessary to submit in the request body to call the PingOne APIs.

  • The PingOne MFA Remember Me Verifier Adapter and PingOne MFA Remember Me Manager Adapter display this spinner whenever they make a call to the PingOne APIs, unless the user clicked Don’t Remember or Don’t ask again on this device when prompted to allow the adapter to remember their device.

How the remembered devices flow works

  • The PingOne MFA Remember Me Manager Adapter creates remembered devices after a successful UI or PingFederate Authentication API authentication flow is complete, and only if the user opts in.

    To maintain security, Remember Me functionality should only be used on private devices or browsers. Make sure the Remember Me template warns users not to enable this feature on a public or shared device.

    If MFA is bypassed or can’t be completed, the PingOne MFA Remember Me Manager Adapter skips remembered device creation.

  • On future authentication attempts, if the PingOne MFA Remember Me Verifier Adapter confirms that device is trusted, the user bypasses any following authentication steps. You can specify which steps to bypass in your PingFederate authentication policy configuration.

  • On SLO, the system clears trusted devices.

Setting up a remembered devices flow

  1. Deploy PingOne MFA Integration Kit 3.2 or later.

  2. Configure Remember Me adapter instances.

  3. Arrange the PingFederate authentication policy.

  4. Review methods of handling user consent for Remember Me device creation.

  5. If using the PingFederate Authentication API, prepare the signals-sdk to generate browser fingerprints.

    Additionally, review the following entries in Models, objects, and error codes.

    States

    EVALUATE_REMEMBER_ME_DEVICE, REMEMBER_ME_USER_CONSENT_REQUIRED, and MANAGE_REMEMBER_ME_DEVICE.

    Actions

    submitRememberMeUserConsent and submitDeviceInformation.

    Objects

    SubmitRememberMeUserConsentRequest and SubmitDeviceInformationRequest.

    Errors

    BROWSER_FINGERPRINT_REQUIRED.

  6. Ensure state synchronization across nodes in clustered PingFederate deployments.