Authorization flow
When using the PingOne MFA IdP Adapter through the PingFederate authentication application programming interface (API), the following flow is used for requesting authorization using a push notification to the user’s paired mobile app.
Authorization via the mobile app
-
The user completes first-factor authentication. Completion of first-factor authentication is a prerequisite before progressing to multi-factor authentication (MFA), when using the PingOne MFA IdP Adapter with the PingFederate Authentication API flow.
-
The status of
AUTHENTICATION_REQUIRED
is returned in the response to the Mobile app (API client). -
The Mobile app (API client) gets a mobile payload from the mobile SDK.
-
The Mobile app (API client) invokes the
authenticate
action, using the mobile payload. -
The status of
PUSH_CONFIRMATION_WAITING
together with theselectedDeviceRef
object are returned in the response to the Mobile app (API client). -
The Mobile app (API client) invokes the
poll
action, so that PingFederate gets the status of the mobile push. This is repeated until either a successful status is received or a timeout is reached. -
The status of
MFA_COMPLETED
together with thedevice_authorized
code are returned in the response to the Mobile app (API client). -
The Mobile app (API client) invokes the
continueAuthentication
action. The Mobile app (API client) must callcontinueAuthentication
in order to progress in the OIDC flow, and to complete it. -
PingFederate returns an access token to the Mobile app (API client).