Client Initiated Backchannel Authentication (openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html) is an extension to OpenID Connect that is gaining interest by organizations that want to improve the end-user experience during authentication and authorization in a federated environment. This extension defines a new OAuth grant type where user consent can be requested through an out-of-band flow. For example, CIBA improves the user experience when making an online purchase from a merchant because it does not require a browser redirect to a financial institution to authorize the purchase. Instead, the user can receive a push notification sent to the financial institution’s native mobile app running on the user’s phone to complete the authorization.

Note:

The MFA Integration Kit includes the MFA CIBA Authenticator, which works with 's CIBA feature. For instructions on configuring the MFA CIBA Authenticator, see Configuring a CIBA authenticator instance.

A CIBA configuration consists of two components.

CIBA authenticator

A CIBA authenticator is responsible for authenticating users through an out-of-band method.

You may use the PingFederate SDK to implement a custom solution. For more information, refer to the Javadoc for the OOBAuthPlugin interface, the SampleEmailAuthPlugin.java file for a sample implementation, and the SDK developer's guide for build and deployment information.

Once deployed, you can create one or more instance configurations of the authenticator.

CIBA request policy

CIBA request policies process identity hints and authenticate users to receive consent. Each request policy is associated with an instance of a CIBA authenticator. The CIBA grant flow is initiated by a direct request from the client and involves an out-of-band interaction with the user to complete authentication and authorization. OAuth clients that support the CIBA grant type can be configured to use a specific CIBA request policy or a default.

Configuration steps

  1. Create an instance of a CIBA authenticator.
    1. Open the OAuth Server > Authenticators screen.
    2. Click Create New Instance.
    3. On the Type screen, provide the required information and select a CIBA authenticator from the Type list.
      Note:

      Selections vary depending on the CIBA authenticators that have been installed in your PingFederate environment.

    4. Click Next to access the Instance Configuration screen.

      From this point forward, follow the on-screen instructions to complete the configuration. For more information, see Configuring a CIBA authenticator instance.

  2. Create a CIBA request policy.
    1. Open the OAuth Server > Request Policies screen.
    2. Click Add Policy.
    3. On the Manage Policy screen, provide the required information, including selecting the CIBA authenticator instance created in the previous step from the Authenticator list.

      From this point forward, follow the on-screen instructions to complete the configuration. For more information, see Defining a request policy.

  3. Create an OAuth client.
    1. Open the OAuth Server menu.
    2. Click Create New under Clients.
    3. On the Client screen, provide the required information.

      To enable CIBA for the client, you must select CIBA in the Allowed Grant Types setting. Once selected, you can configure a few more client CIBA-related settings.

      For more information, see Configuring an OAuth client.