The following figure illustrates a single sign-on (SSO) scenario in which PingFederate authenticates users to an SP application using PingOne MFA.

  1. The user initiates SSO with PingFederate and completes the first-factor authentication step, such as an HTML Form Adapter instance.
  2. PingFederate contacts Duo Security and provides the user identifier.
  3. Duo Security provides the user's MFA challenge options.
  4. The Duo Security IdP Adapter presents the authentication challenge options in the browser.

  5. Depending on the authentication method, one of the following occurs:
    • For push notification, Duo Security sends a push notification to the user's mobile app. PingFederate polls the API until Duo Security provides the authentication result.
    • For call authentication, Duo Security sends the one-time passcode (OTP) to the user by phone. In the browser, PingFederate shows a form requesting the OTP. The user enters the OTP in the form.
    • For passcode authentication, the user enters a passcode in the form.
  6. If the user authenticates successfully, PingFederate provides access to the requested resource. Otherwise, it shows the user an optional page with the reason authentication failed.