When PingID® is the second authentication factor for the PingFederate administrative console, the administrators must authenticate successfully against the first factor (for example, a directory server) and subsequently respond to the request for authentication from the PingID app on their mobile devices.

Multifactor Console Authentication using PingID
Multifactor Console Authentication using PingID

Processing steps

  1. An Administrator opens a browser and accesses the PingFederate administration console.
    1. The administrative console displays the login page.
    2. The administrator enters the correct username and password.
  2. PingFederate invokes the PingID Password Credential Validator (PCV) to validate the username and password against your directory server.

    The PingID PCV comes with a built-in RADIUS server, which can be used as the point of authentication for the PingFederate administration console using RADIUS authentication.

  3. Upon successful validation of the user credentials, the PingID PCV invokes the PingID service with the username.

    The PingID service looks for the username in its datastore.

    If the administrator has not registered a device for use with PingID, the PingID service returns a “username unknown” message. The administrative console displays a device registration screen. The administrator must register the mobile device.

  4. If the administrator has a registered device, the PingID service notifies the PingID app on the device or sends an SMS or voice callback message, depending on the configuration for that user account.
    1. The administrator responds to the request for authentication from PingID.
    2. If the administrator has successfully authenticated to the PingID notification, the PingID service returns a “success” message to the PingID PCV.
  5. The administrative console opens its menu.