PingOne

Adding PingOne MFA to your authentication policy

By modifying your PingFederate authentication policy to include the PingOne MFA IdP Adapter, you can challenge users to complete a multi-factor authentication (MFA) step.

About this task

These steps are designed to help you add to an existing authentication policy. For general information about configuring authentication policies, see Authentication policies in the PingFederate documentation.

Steps

  1. In the PingFederate administrative console, go to the Policies tab.

    Choose from:

    • For PingFederate 10.1 or later: go to Authentication > Policies > Policies.

    • For PingFederate 10.0 or earlier: go to Identity Provider > Authentication Policies > Policies.

  2. Select the IdP Authentication Policies checkbox.

  3. Open an existing authentication policy, or click Add Policy.

    See Defining authentication policies in the PingFederate documentation.

  4. In the Policy area, from the Select list, select a PingOne MFA IdP Adapter instance.

    Adding the to the authentication policy

  5. Map the PingOne user ID or username into the PingOne MFA IdP Adapter instance.

    Passing the user ID from the first-factor authentication adapter to the

    1. Under the PingOne MFA IdP Adapter instance, click Options.

    2. On the Options dialog, from the Source list, select a previous authentication source that collects the PingOne user ID or username.

      If you left the Username Attribute field blank in your PingOne MFA IdP Adapter configuration, the adapter also uses this value as the username when provisioning new users to PingOne.

    3. From the Attribute list, select the user ID. Click Done.

    4. Optional: Select the User ID Authenticated check box.

      The User ID Authenticated check box indicates whether the mapped user ID has been authenticated by the authentication source and therefore can be trusted by the current adapter. Device management options are limited if the user is not authenticated.

  6. Optional: Define policy paths based on the pingone.mfa.status or pingone.mfa.status.reason attributes.

    Branching the authentication policy based on the pingone.mfa.status attribute.

    1. Under the PingOne MFA IdP Adapter instance, click Rules.

    2. On the Rules dialog, in the Attribute Name list, select pingone.mfa.status or pingone.mfa.status.reason.

    3. In the Condition list, select equal to.

    4. In the Value field, enter a value from PingOne MFA status attributes reference.

    5. In the Result field, enter a name. This appears as a new policy path that branches from the authentication source.

    6. If you want to add more authentication paths, click Add and repeat steps a-e.

    7. Click Done.

  7. Configure each of the authentication paths.

    The complete authentication policy

  8. Click Done.

  9. Configure tracked HTTP parameters:

    1. On the Tracked HTTP Parameters tab, in the Parameter Name field, enter the name of the parameter that you want to track.

      For example:

      • To enable automatic device pairing, enter mobilePayoad.

      • To configure the PingOne MFA IdP Adapter to support the prompt parameter, enter prompt.

    2. Click Add.

    3. Click Save.

    4. Repeat the previous steps for any other parameters that you want to add.