PingFederate Server

Client Initiated Backchannel Authentication (CIBA)

Client Initiated Backchannel Authentication is an extension to OpenID Connect that improves the end-user experience during authentication and authorization in a federated environment.

The CIBA extension defines a new OAuth grant type where user consent can be requested through an out-of-band flow. CIBA improves the user experience, such as when making an online purchase from a merchant, because it does not require a browser redirect to a financial institution to authorize the purchase. Instead, the user can receive a push notification sent to the financial institution’s native mobile app running on the user’s phone to complete the authorization. For more information, see openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html.

The PingOne MFA Integration Kit includes the PingOne MFA CIBA Authenticator, which works with PingFederate’s CIBA feature. For instructions on configuring the PingOne MFA CIBA Authenticator, see Configuring a CIBA authenticator instance.

A CIBA configuration consists of two components: a CIBA authenticator and a CIBA request policy.

CIBA authenticator

A CIBA authenticator is responsible for authenticating users through an out-of-band method.

You can use the PingFederate SDK to implement a custom solution. For more information, see the Javadoc for the OOBAuthPlugin interface, the SampleEmailAuthPlugin.java file for a sample implementation, and the SDK developer’s guide for build and deployment information.

Once deployed, you can create one or more instance configurations of the authenticator.

For more information, see Configuring a CIBA authenticator instance.

CIBA request policy

CIBA request policies process identity hints and authenticate users to receive consent. Each request policy is associated with an instance of a CIBA authenticator. The CIBA grant flow is initiated by a direct request from the client and involves an out-of-band interaction with the user to complete authentication and authorization. OAuth clients that support the CIBA grant type can be configured to use a specific CIBA request policy or a default.

For more information, see Defining a request policy.

Because the CIBA extension is an OAuth grant type, to enable CIBA for the client, you must select CIBA in the Allowed Grant Types setting. Once selected, you can configure more client CIBA-related settings.

For more information, see Configuring OAuth clients.