PingOne

Authorization flow

When using the PingOne MFA IdP Adapter through the PingFederate authentication application programming interface (API), the following flow is used for requesting authorization using a push notification to the user’s paired mobile app.

Authorization via the mobile app

A flow diagram showing the authorization process

  1. The user completes first-factor authentication. Completion of first-factor authentication is a prerequisite before progressing to multi-factor authentication (MFA), when using the PingOne MFA IdP Adapter with the PingFederate Authentication API flow.

  2. The status of AUTHENTICATION_REQUIRED is returned in the response to the Mobile app (API client).

  3. The Mobile app (API client) gets a mobile payload from the mobile SDK.

  4. The Mobile app (API client) invokes the authenticate action, using the mobile payload.

  5. The status of PUSH_CONFIRMATION_WAITING together with the selectedDeviceRef object are returned in the response to the Mobile app (API client).

  6. The Mobile app (API client) invokes the poll action, so that PingFederate gets the status of the mobile push. This is repeated until either a successful status is received or a timeout is reached.

  7. The status of MFA_COMPLETED together with the device_authorized code are returned in the response to the Mobile app (API client).

  8. The Mobile app (API client) invokes the continueAuthentication action. The Mobile app (API client) must call continueAuthentication in order to progress in the OIDC flow, and to complete it.

  9. PingFederate returns an access token to the Mobile app (API client).