PingFederate Server

Client Initiated Backchannel Authentication (CIBA)

client-initiated backchannel authentication (CIBA) is an extension to OpenID Connect (OIDC) that improves the end-user experience during authentication and authorization in a federated environment.

The CIBA extension defines a new OAuth grant type where user consent can be requested through an out-of-band flow. CIBA improves user experiences, such as making an online purchase from a merchant, because it doesn’t require a browser redirect to a financial institution to authorize the purchase. Instead, the user can receive a push notification sent to the financial institution’s native mobile app running on the user’s phone to complete the authorization. Learn more in the OIDC CIBA specifications.

The PingOne MFA Integration Kit includes the PingOne MFA CIBA Authenticator, which works with PingFederate’s CIBA feature. Find instructions on configuring the PingOne MFA CIBA Authenticator in Configuring a CIBA authenticator instance in the Integrations documentation.

A CIBA configuration consists of two components: a CIBA authenticator and a CIBA request policy.

CIBA authenticator

A CIBA authenticator is responsible for authenticating users through an out-of-band method.

You can use the PingFederate SDK to implement a custom solution. Learn more about building and deploying a solution in the Javadoc for the OOBAuthPlugin interface, the SampleEmailAuthPlugin.java file for a sample implementation, and the SDK developer’s guide.

After deploying a solution, you can create one or more instance configurations of the authenticator.

Learn more in Configuring a CIBA authenticator instance.

CIBA request policy

CIBA request policies process identity hints and authenticate users to receive consent. Each request policy is associated with an instance of a CIBA authenticator. The CIBA grant flow is initiated by a direct request from the client and involves an out-of-band interaction with the user to complete authentication and authorization. OAuth clients that support the CIBA grant type can be configured to use a specific CIBA request policy or a default.

Learn more in Defining a request policy.

Because the CIBA extension is an OAuth grant type, you must select CIBA in the Allowed Grant Types setting to enable CIBA for the client. Once selected, you can configure more client CIBA-related settings.

Learn more in Configuring OAuth clients.