PingOne

Authentication flows

When using the PingOne MFA IdP Adapter through the PingFederate authentication API, the following flows are used for multi-factor authentication (MFA) requests. These are initiated in the web browser.

MFA via email

A flow diagram showing authentication via an email OTP

  1. The user completes first-factor authentication. Completion of first-factor authentication is a prerequisite before progressing to MFA, when using the PingOne MFA IdP Adapter with the PingFederate Authentication API flow.

  2. The status of AUTHENTICATION_REQUIRED is returned in the response to the API client.

  3. The API client invokes the authenticate action.

  4. The status of DEVICE_SELECTION_REQUIRED is returned with the devices object in the response to the API client.

  5. The API client invokes selectDevice action and specifies the device ID of the device to use for multi-factor authentication.

  6. The status of OTP_REQUIRED, together with the devices and selectedDeviceRef object, are returned in the response to the API client. In parallel, the user receives an email containing the OTP for authentication.

  7. After the user has entered the OTP, the API client invokes the checkOtp action, submitting the OTP value to PingFederate.

  8. On successful completion of MFA, PingFederate returns the status of MFA_COMPLETED to the API client.

  9. The API client invokes the continueAuthentication action. The API client must call continueAuthentication in order to progress in the OIDC flow, and to complete it.

  10. PingFederate returns a single sign-on (SSO) ID token and access token to the API client.

MFA via the mobile app

A flow diagram showing authentication via a mobile application

  1. The user completes first-factor authentication. Completion of first-factor authentication is a prerequisite before progressing to MFA, when using the PingOne MFA IdP Adapter with the PingFederate Authentication API flow.

  2. The status of AUTHENTICATION_REQUIRED is returned in the response to the API client.

  3. The API client invokes the authenticate action.

  4. The status of DEVICE_SELECTION_REQUIRED is returned with the devices object in the response to the API client.

  5. The API client invokes selectDevice action and specifies the device ID of device to use for multi-factor authentication.

  6. The status of PUSH_CONFIRMATION_WAITING, together with the devices and selectedDeviceRef object, are returned in the response to the API client.

  7. The API client invokes the poll action, so that PingFederate gets the status of the mobile push. This is repeated until either a successful status is received or a timeout is reached.

  8. One of the following alternative statuses is reached:

    • MFA_COMPLETED:

      • The user receives a push notification and approves the authentication.

      • The API client invokes the continueAuthentication action. The API client must call continueAuthentication in order to progress in the OIDC flow, and to complete it.

      • PingFederate returns an access token for SSO, to the API client.

    • PUSH_CONFIRMATION_TIMED_OUT:

      • The device was not reachable.

      • There are three options available via the API client:

        • Retry by calling selectDevice with the deviceRef object.

        • Select a different device by calling selectDevice with a different deviceRef object.

        • Cancel the authentication request by calling cancelAuthentication.

    • PUSH_CONFIRMATION_REJECTED:

      • The user receives a push notification, but denies it.

      • There are three options available via the API client:

        • Retry by calling selectDevice with the deviceRef object.

        • Select a different device by calling selectDevice with a different deviceRef object.

        • Cancel the authentication request by calling cancelAuthentication.