PingID is a cloud-based multi-factor authentication (MFA) service that protects an organization’s network, applications, and data resources while providing secure and seamless experiences for your customers and users.
The PingID connector supports the use of:
- Customer-friendly authentication flows to increase security without adding unnecessary friction to the end user experience.
- User enrollment flows:
- Automatically: Allow customers to automatically enroll an authentication method for users during the authentication process.
- One-time device authentication: Include device details within an authentication request. Enables a user to authenticate for one session only, without pairing the device.
Setup
Resources
- PingOne documentation:
- PingID documentation
- PingOneDaVinci documentation:
Requirements
To use the connector, you'll need:
- A PingOne license (Try PingOne for free)
- A PingID license.
- A PingOne environment with a configured Worker app.
- A PingID tenant linked to the PingOne environment.
Setting up PingID
Setting up the connector
In DaVinci, add a PingID connector. For help, see Adding a connector.
Connector settings
Environment ID
Client ID
Client Secret
Region
Using the connector in a flow
Enrolling a device
To seamlessly add MFA for your users and increase MFA adoption, use the PingID connector. You can include device enrollment as part of user registration, or as a just-in-time (JIT) registration within an authentication flow.
The user can select an authentication method for MFA from a list of methods defined by the PingID configuration. This list can include traditional methods, such as email and SMS, and more secure and frictionless methods, such as FIDO2 biometrics and PingID mobile app.
For help, see the Creating an authentication flow guide.Authenticating users
Use the PingID connector to increase security by adding an authentication factor that requires the user to prove their identity using a trusted device.
For help, see the Creating an authentication flow guide.
PingID flow templates
Ping Identity provides out-of-the-box DaVinci subflows that you can add to a main flow to register authentication devices and to use those devices to authenticate with PingID.
- PingID registration sub-flowUse this subflow to register a new authentication method for use with PingID.Note: The variable
pingIdUserId
represents the ID attribute from PingOne and must be provided when triggering the flow. - PingID authentication sub-flowUse this subflow to add PingID as a secondary authentication factor to a main flow, as part of an authentication process.
- Customize PingID
authentication sub-flow variables. Click the Variables node to customize any of the following options:
AdminMessage
: The administrative message you want to display during authentication.SMSBackup
: Use the user's mobile number as a backup authentication method, so they can receive a one-time passcode by SMS, if the user forgets their registered authentication device.phoneBackup
: Use the user's mobile number as a backup authentication method, to receive a one-time passcode by voice message, if the user forgets their registered authentication device.emailBackup
: Use the user's email address as a backup authentication method, to receive a one-time passcode by email, if the user forgets their registered authentication device.useCode
: When set totrue
, the user can click a Use Code button to enter an OTP, rather than waiting for a push notification to arrive.OTP Fallback
: When set totrue
, user's can authenticate with a one-time passcode in the event that the PingID server cannot reach their device, or the push response cannot be completed.
- Define a list of mandatory authentication devicesYou can define a list of mandatory authentication methods. If defined, users are forced to register all of the required authentication methods in order to access their resources.
- In the relevant PingID authentication subflow, click the Flow Settings node.
- In the Variable Name field, select
mandatoryAuthenticationMethods, and then
enter the authentication methods that the user must register with
their account. Valid authentication methods include:
PINGID_DESKTOP
PINGID_MOBILE
SMS
VOICE
EMAIL
TOTP
SECURITY_KEY
PLATFORM
YUBIKEY
OATH_TOKEN
Note: This field is empty by default. Authentication methods must be entered in upper case, with a space between each entry. If no authentication method is defined, the user is not required to pair a specfic device.Example:
The next time the user attempts to authenticate, even if they have one of the mandatory methods paired with their account, they are forced to register all of the authentication methods specified in the mandatoryAuthenticationMethods list, before they can access their resources.SMS VOICE EMAIL
Note:- This flow requires the PingID - registration welcome page flow. The variable
pingIDUserId
must be provided when triggering the flow. - The following PingID
Connector variables override the equivalent values in the PingID admin console
Configuration tab:
PingID connector variable PingID admin console location SMSBackup
,phoneBackup
,emailBackup
Alternate Authentication Methods, Backup Authentication (SMS, Voice, or Email checkbox). OTP Fallback
Mobile App Authentication, One-time Passcode Fallback useCode
Mobile App Authentication, Direct Passcode Usage
- Customize PingID
authentication sub-flow variables.