PingID Administration Guide

Configuring multiple access mode

Enter these setting in PingFederate to configure multiple access mode.

Before you begin

Multiple access mode is supported from the following software versions:

  • PingFederate 9.2 or later

  • PingID Integration Kit 2.6 (PingID Adapter 2.5)

Steps

  1. Configure PingFederate to determine whether the accessing device is organization-owned, and whether it is a private or shared device. Choose from the following methods to obtain this information.

    Choose from:

  2. Configure multiple access mode.

    1. Download the PingID properties file. For more information, see Managing the PingID properties file for PingFederate.

    2. Create an HTML form adapter instance. Refer to HTML Form Adapter and Configure an HTML Form Adapter instance in the PingFederate admin guide. Make sure that:

      • Session State is set to None.

      • Enable 'This is my device' box is selected.

    3. Configure authentication sessions for the HTML Form Adapter. For more information, see Configure authentication sessions.

    4. Create a PingID adapter instance. For more information, see Configuring a PingFederate policy for secondary authentication. Make sure that:

      • Type is set to PingID Adapter 2.5 or later, to support multiple access mode.

        The multiple access mode capability requires PingFederate Authentication Policies rather than the Composite adapter:

        • Create an Authentication Policy Contract (APC). For more information, see Policy contracts.

        • Create an authentication policy for the PingID adapter. For more information, see Policies.

Result

The following table summarizes the main flows, based on the attributes of the accessing device. These attributes are assessed to determine the use case, and whether the device is organization-owned, single or multi-user, or whether these attributes are unknown:

Accessing device attributes Process flow

Use case scenario

Organization-owned device

Single/Multiple user device

HTML login form presents 'This is my device' checkbox

Session information saved

Private accessing device: Each access device is organization-owned, and assigned to only one user.

Yes

Single user

No

Yes

Shared accessing device: Access devices are organization-owned, and each device is identifiable before login at access time, as a multiple-user shared device.

Yes

Multiple users

No

No

Unknown accessing device: Access is permissible from devices whose status as a single-user or multi-user device is not identifiable before login at access time.

These devices may also be either organization-owned privately owned.

Since PingFederate cannot determine whether the access device is private or shared, the user is prompted at login to indicate the device status.

In this use case, the behavior is identical regardless of whether or not the access device is organization-owned.

Unknown whether single or multiple user device, when PingFederate presents the HTML login form

Yes

Depends on the user’s response:

  • Yes: If the user checks 'This is my device'.

  • No: If the user leaves 'This is my device' unchecked.