PingOne MFA IdP Adapter settings reference
Field descriptions for the PingOne MFA IdP Adapter configuration page.
Standard fields
| Field | Description |
|---|---|
PingOne Environment |
Select the PingOne connection that you created in PingOne MFA IdP Adapter settings reference. This field is blank by default. |
PingOne Population |
If a user does not already exist in PingOne, the adapter provisions the user to this PingOne population. Applies only when Provision Users is selected. This list is populated after you select the PingOne Environment. This field is blank by default. |
Application |
The PingOne application that you created in Creating a web or native OIDC application in PingOne. This list is populated after you select the PingOne Environment and PingOne Population. This field is blank by default. |
MFA Policy for Authentication |
Select the desired policy from the list. This field displays MFA policies created in PingOne. Defaults to Default, which uses the default MFA policy in PingOne. |
MFA Policy for Registration |
Select the PingOne MFA policy that you want to use for device pairing. |
MFA for Accessing from IP Out of Range |
Prompt the user for MFA if the request comes from an IP address outside of the specified range. Use CIDR notation to specify the IP address range. Multiple ranges must be separated by commas. |
MFA by User Population |
Prompt the user for MFA when a user is a member of any of the listed populations. Multiple populations must be separated by commas. |
MFA for User Attributes |
Specify the user attributes to be sent to PingOne as part of the authentication context. These attributes can be referenced within PingOne policies to determine when MFA is required. |
Advanced fields
| Field | Description | ||
|---|---|---|---|
Notification Template Variant Override |
Overrides the notification template variant that the adapter sends to PingOne for authentication and transaction approval flows. |
||
Test Username |
The PingOne username that the adapter uses to test the PingOne MFA connection on the Actions tab. Enter the username for a user that has a paired device and MFA enabled in PingOne. This field is blank by default. |
||
HTML Template Prefix |
Identifies the set of HTML templates that the adapter uses. The default value is |
||
Messages Files |
Identifies the customizable language-pack file that the adapter uses. The default value is |
||
Prompt Users to Set Up MFA |
Determines whether users with no authentication methods are prompted to add one. |
||
Allow Users to Skip MFA Setup |
Determines whether the MFA setup prompt includes a Skip option. |
||
Allow Users to Manage Authentication Methods |
Determines whether users can add another authentication method, set an existing one as the default, or remove or rename an existing one during sign-on. |
||
Allow Users to Perform Multiple Device Management Operations Consecutively |
Select this checkbox to allow users to perform multiple device management actions without being redirected. |
||
Provision Users |
If a user does not already exist in PingOne, the adapter provisions the user to PingOne. |
||
Provision Authentication Methods |
Determines whether the adapter adds authentication methods based on the user’s attribute values. |
||
Update Authentication Methods |
This setting allows the adapter to automatically add new authentication methods for existing users. |
||
Overwrite Authentication Methods Configurations |
If the adapter identifies new values for SMS, voice, WhatsApp, or email devices, this setting determines whether the adapter replaces the existing methods. |
||
Allow only predefined values for phone or email devices |
This option allows you to limit the values to the email addresses and phone numbers stored for the user. |
||
Enable Cookie Based Tracking |
When selected, the adapter tracks a previously authenticated device in a cookie. |
||
Use Password Config Attribute |
Adds a Use Password button to the device selection screen. |
||
Bypass MFA For Device Management Attribute |
Enter the name of the attribute that controls whether users can bypass MFA when accessing the Device Management page. |
||
Username Attribute |
Determines the username for users provisioned to PingOne. |
||
SMS Attribute |
The attribute name used for SMS provisioning. Default value is |
||
Voice Attribute |
The attribute name used for Voice provisioning. Default value is |
||
Email Attribute |
The attribute name used for Email provisioning. Default value is |
||
WhatsApp Attribute |
The attribute name used for WhatsApp provisioning. Default value is |
||
Default Authentication Method for Provisioned Users |
Sets the default method for new users. Default selection is |
||
User Not Found Failure Mode |
Determines whether the adapter blocks the user’s sign-on attempt when a user error occurs in PingOne. In version 4.0, this setting only covers: User does not exist. |
||
No Devices Failure Mode |
Determines whether the adapter blocks the user’s sign-on attempt or bypasses MFA authentication when the user has no usable MFA devices (no devices enrolled, or all enrolled devices are disabled in the active MFA policy) and 'Prompt Users to Set Up MFA' is not enabled.
|
||
Service Unavailable Failure Mode |
When PingOne doesn’t respond, determines how the adapter handles the sign-on attempt (Bypass or Block). |
||
Change Authentication Method |
Determines whether the adapter shows a "back" button to select a different method. Columns:
If using MFA by User Population or MFA for User Attributes, set this to Deny. |
||
Show Success Screens |
Determines whether the adapter shows a success page. |
||
Show Error Screens |
Determines whether the adapter shows an error page. |
||
Show Timeout Screens |
Determines whether the adapter shows a "timed out" page. |
||
Enable Audit Log |
When selected, the adapter logs browser and authentication details in the audit log. |
||
Display One Time Devices |
Select this checkbox to display any available one-time devices on the Device Selection page alongside paired devices. |