Authentication method management for inbound provisioning
Inbound provisioning manages all mapped email, voice, and SMS MFA attributes.
Nicknames
PingOne assigns nicknames to authentication methods (also called "devices"). The nicknames are used to identify authentication methods on user-facing pages, such as the Device Selection page.
Inbound provisioning uses nicknames when provisioning and synchronizing a user’s authentication methods. The following are the managed nicknames used by inbound provisioning:
-
SMS 1
-
SMS 2
-
SMS 3
-
Email 1
-
Email 2
-
Email 3
-
Voice 1
-
Voice 2
-
Voice 3
The inbound provisioner might unpair existing MFA devices if an existing device has a name that matches a managed nickname, since they are assumed to be devices that the inbound provisioner should manage. In this case, where the managed nicknames are used by either PingID or manually entered, the recommended solution is to use the Do not manage option mentioned in Adding attribute mapping for inbound provisioning. It is also possible to give your MFA device a different nickname, as a workaround. |
Mapping attributes to nicknames
Each device nickname is associated with one attribute on the Attribute Mapping tab of the provisioning rule. For example, the Email
3
nickname holds the value of the MFA Device Email 3
attribute.
You can map these attributes on the Attribute Mapping tab of the provisioning rule.
Synchronization
When synchronizing a user’s authentication methods, inbound provisioning behaves as described in the following scenarios.
Scenario | Action |
---|---|
A device exists with a managed nickname, but the value does not match the value in the identity store. |
The provisioner deletes and re-creates the device with the value from the identity store. |
A value matches between PingOne and the identity store, but the device uses an unmanaged nickname. |
The provisioner deletes and re-creates the device with the appropriate managed nickname. |
A device exists with an unmanaged nickname and the value does not match the value in the identity store. |
The provisioner does not make any changes. |
Maximum number of authentication methods
Although inbound provisioning supports up to three SMS attributes, three email attributes, and three voice attributes, PingOne accepts a maximum of five authentication methods per user by default. You can adjust this in the PingOne settings.