PingFederate assigns a flow ID to each SSO transaction that uses the authentication API. PingFederate uses the flow ID to determine a transaction's state.

As a user steps through an SSO transaction, the transaction is always in some state. The state includes a status field and other fields specific to that state. The class containing those other fields is the model for the state.

The API endpoint returns the following when the user's SSO transaction has reached the USERNAME_PASSWORD_REQUIRED state for the form adapter.

	"id": "PyH5g",
	"pluginTypeId": "7RmQNDWaOnBoudTufx2sEw",
	"showRememberMyUsername": false,
	"showThisIsMyDevice": false,
	"thisIsMyDeviceSelected": false,
	"showCaptcha": false,
	"rememberMyUsernameSelected": false,
	"_links": {
		"self": {
			"href": "https://localhost:9031/pf-ws/authn/flows/PyH5g"
		"checkUsernamePassword": {
			"href": "https://localhost:9031/pf-ws/authn/flows/PyH5g"

The model for this state is the class UsernamePasswordRequired. It includes fields such as showThisIsMyDevice, which help the API client know how to render the credential prompt to the user.

The API response also includes a list of available actions. In this case, the only action available is checkUsernamePassword. The API client can select this action by sending a POST request with the Content-Type of application/vnd.pingidentity.checkUsernamePassword+json. Each action has its own model containing the fields that the POST body can provide. For the checkUsernamePassword action, the model is CheckUsernamePassword.

The POST body can be as simple as the following.

	"username": "joe",
	"password": "2Federate"

After receiving this request, PingFederate calls the lookupAuthN() method of the form adapter. If the form adapter encounters an error while validating the credentials, it writes a JSON API error to the response. If the form adapter successfully validates the credentials, it returns AUTHN_STATUS.SUCCESS from its lookupAuthN()method. PingFederate then goes to the next step in the authentication policy. If the next step is an API-capable adapter, PingFederate calls lookupAuthN()on that adapter and the adapter determines its current state and writes it to the response, along with the available actions.


The PingFederate authentication API follows a different naming convention for actions than PingOne. PingOne names actions as noun.verb, such as otp.check. PingFederate uses verbNoun, such as checkOtp.