User directory for PingID offline MFA
PingID offline multi-factor authentication (MFA) supports storage of user authentication device details according to different user directory deployments.
User directory
PingID offline MFA can access device information stored in the directory’s user object, or in a directory object separate from the user object, either in the same directory as the user object, or in a different directory.
The PingID offline MFA feature is designed to work with directories from several vendors, including Active Directory, Oracle Directory, and Ping Directory. Directory setup scripts are provided for Active Directory as part of the PingID Integration Kit 2.0 and later. You must configure other directories manually. For more information on directory configuration, see Installing the PingID Integration Kit for PingFederate. |
Scripts provided in the PingID Integration Kit 2.0 or later add the following attributes to the directory:
pf-pingid-state
-
The
pf-pingid-state
attribute holds the authentication state of the user during offline MFA.Administrators can use this attribute to bypass or block individual users.It is an optional attribute. When it is used, it must be coupled with theuser
object class on the main user directory. The optional values,block
orbypass
, stored in this attribute are managed by the administrator. For more information, see Configuring offline MFA (PingID Adapter) or Configuring offline MFA (RADIUS PCV).PingFederate only requires read access to thepf-pingid-state
attribute.The value of thepf-pingid-state
attribute is always stored in the user’s object. You can assign a different name to the attribute using the setup script, within the limits permitted by the user directory.When PingID is offline, the identity provider checks the configuration.-
If the user’s
pf-pingid-state
configuration is empty, the authentication flow continues. -
If
pf-pingid-state
is set tobypass
, the user bypasses MFA. -
If
pf-pingid-state
is set toblock
, the user is blocked from logging in.
-
pf-pingid-local-fallback
-
The
pf-pingid-local-fallback
attribute holds the user’s authentication devices list information.It is a mandatory attribute.The administrator must decide between:-
Adding the attribute to the
user
objectClass on the main user directory. -
Adding the attribute to a separate custom
pf-pingid-device
objectClass.
-
If you add pf-pingid-local-fallback
to pf-pingid-device
, you must decide which directory should hold the pf-pingid-device
objects. These objects can be stored in the same directory as the users in a different location in the directory tree, or in an entirely separate directory. PingFederate configuration will vary according to the design you choose.
Multiple Adapter/PCV Instances: When running a single PingFederate server with multiple PingID tenants, the pf-pingid-local-fallback
attribute cannot be linked to the user objectClass. It is mandatory to set up a separate custom pf-pingid-device
objectClass. The location of the pf-pingid-device
objects must be different for each Adapter/PCV instance.
If multiple Adapter/PCV instances use the same PingID tenant, there is no restriction on the pf-pingid-local-fallback
attribute location.
For more information, see Installing the PingID Integration Kit for PingFederate.PingFederate will have read and write access to the pf-pingid-local-fallback
attribute, because values stored in this attribute are managed by PingFederate.
Priority of parameter settings during the flow of PingID offline MFA
-
If the
Authentication During Errors
parameter is set toBypass
orBlock
, the user’sstate
attribute is ignored during offline authentication. All users will either bypass PingID offline MFA or be blocked from authenticating, according to theAuthentication During Errors
setting. -
If the
Authentication During Errors
parameter is set toPassive
orEnforce
, PingFederate checks the user’sstate
attribute.- The user’s
state
attribute is empty -
If the user has a paired mobile device, the flow proceeds to offline MFA.If the user does not have a paired mobile device, the flow proceeds according to the setting in the
Users Without a Paired Device
parameter.- The user’s
state
attribute is set toBypass
-
The user will bypass PingID offline MFA.
- The user’s
state
attribute is set toBlock
-
The user is blocked from authenticating.
- The user’s
- The user’s