Known issues and limitations
The following are known issues or limitations for the PingOne MFA Integration Kit.
Known limitations
-
The PingOne MFA IdP Adapter only supports automatic device enrollment for SMS, voice, and email authentication methods. Users can add other authentication methods directly through the PingOne MFA self-service URL. Learn more in Self service and Managing authentication methods in the PingOne MFA documentation.
-
To use a localized version of the adapter messages file, a copy of the core PingFederate messages file must exist with the same language tag. For example, to allow
pingone-mfa-messages_fr.properties
to work, createpingfederate-messages_fr.properties
. -
As a security measure, if the user initiates a password reset flow and multi-factor authentication (MFA) is not satisfied, the PingOne MFA IdP Adapter fails. For example, this applies when the user clicks the password reset link on the HTML Form Adapter and the PingOne authentication policy dictates that MFA is bypassed for the user.
-
For the Default Authentication Method Type setting: if a user has existing authentication methods, but no default is set, the adapter does not set a default authentication method. This scenario can occur if the user was created before PingOne supported default authentication methods.
-
The PingOne MFA IdP Adapter only adds authentication methods to PingOne. If you want to synchronize authentication methods and other user attributes, use the PingOne Connector provided in the PingOne Integration Kit.
-
When authenticating or registering through the PingOne MFA IdP Adapter in PingFederate, the adapter creates a session for the user in PingOne. The User-Agent is not passed to PingOne so the session shows Unknown for the Application and Device fields.