PingID Administration Guide

User directory for PingID offline MFA

PingID offline multi-factor authentication (MFA) supports storage of user authentication device details according to different user directory deployments.

User directory

PingID offline MFA can access device information stored in the directory’s user object, or in a directory object separate from the user object, either in the same directory as the user object, or in a different directory.

The PingID offline MFA feature is designed to work with directories from several vendors, including Active Directory, Oracle Directory, and Ping Directory.

Directory setup scripts are provided for Active Directory as part of the PingID Integration Kit 2.0 and later. You must configure other directories manually.

For more information on directory configuration, see Installing the PingID Integration Kit for PingFederate.

Scripts provided in the PingID Integration Kit 2.0 or later add the following attributes to the directory:

pf-pingid-state

The pf-pingid-state attribute holds the authentication state of the user during offline MFA.Administrators can use this attribute to bypass or block individual users.It is an optional attribute. When it is used, it must be coupled with the user object class on the main user directory. The optional values, block or bypass, stored in this attribute are managed by the administrator. For more information, see Configuring offline MFA (PingID Adapter) or Configuring offline MFA (RADIUS PCV).PingFederate only requires read access to the pf-pingid-state attribute.The value of the pf-pingid-state attribute is always stored in the user’s object. You can assign a different name to the attribute using the setup script, within the limits permitted by the user directory.When PingID is offline, the identity provider checks the configuration.

  • If the user’s pf-pingid-state configuration is empty, the authentication flow continues.

  • If pf-pingid-state is set to bypass, the user bypasses MFA.

  • If pf-pingid-state is set to block, the user is blocked from logging in.

pf-pingid-local-fallback

The pf-pingid-local-fallback attribute holds the user’s authentication devices list information.It is a mandatory attribute.The administrator must decide between:

  • Adding the attribute to the user objectClass on the main user directory.

  • Adding the attribute to a separate custom pf-pingid-device objectClass.

If you add pf-pingid-local-fallback to pf-pingid-device, you must decide which directory should hold the pf-pingid-device objects. These objects can be stored in the same directory as the users in a different location in the directory tree, or in an entirely separate directory. PingFederate configuration will vary according to the design you choose.

Multiple Adapter/PCV Instances: When running a single PingFederate server with multiple PingID tenants, the pf-pingid-local-fallback attribute cannot be linked to the user objectClass. It is mandatory to set up a separate custom pf-pingid-device objectClass. The location of the pf-pingid-device objects must be different for each Adapter/PCV instance.

If multiple Adapter/PCV instances use the same PingID tenant, there is no restriction on the pf-pingid-local-fallback attribute location.

For more information, see Installing the PingID Integration Kit for PingFederate.PingFederate will have read and write access to the pf-pingid-local-fallback attribute, because values stored in this attribute are managed by PingFederate.

Priority of parameter settings during the flow of PingID offline MFA

  1. If the Authentication During Errors parameter is set to Bypass or Block, the user’s state attribute is ignored during offline authentication. All users will either bypass PingID offline MFA or be blocked from authenticating, according to the Authentication During Errors setting.

  2. If the Authentication During Errors parameter is set to Passive or Enforce, PingFederate checks the user’s state attribute.

    The user’s state attribute is empty

    If the user has a paired mobile device, the flow proceeds to offline MFA.If the user does not have a paired mobile device, the flow proceeds according to the setting in the Users Without a Paired Device parameter.

    The user’s state attribute is set to Bypass

    The user will bypass PingID offline MFA.

    The user’s state attribute is set to Block

    The user is blocked from authenticating.