When PingID is the second authentication factor for the PingFederate administrative console, the administrators must authenticate successfully against the first factor, such as a directory server, and subsequently respond to the request for authentication from the PingID app on their mobile devices.

Multi-factor Console Authentication using PingID
Diagram illustrating multi-factor console authentication using PingID.

Processing steps

  1. An administrator opens a browser and accesses the PingFederate administration console.
    1. The administrative console displays the Sign On page.
    2. The administrator enters the correct username and password.
  2. PingFederate invokes the PingID Password Credential Validator (PCV) to validate the username and password against your directory server.

    The PingID PCV comes with a built-in RADIUS server, which can be used as the point of authentication for the PingFederate administration console using RADIUS authentication.

  3. Upon successful validation of the user credentials, the PingID PCV invokes the PingID service with the username.

    The PingID service looks for the username in its datastore.

    If the administrator has not registered a device for use with PingID, the PingID service returns a “username unknown” message. The administrative console displays a device registration window. The administrator must register the mobile device.

  4. If the administrator has a registered device, the PingID service notifies the PingID app on the device or sends a text message (SMS) or voice callback message, depending on the configuration for that user account.
    1. The administrator responds to the request for authentication from PingID.
    2. If the administrator has successfully authenticated to the PingID notification, the PingID service returns a “success” message to the PingID PCV.
  5. The administrative console menu opens.