• Supports MFA using the following authentication methods:
    • Passkeys (FIDO2)
    • One-time passcodes (OTPs) through SMS, voice call, and email
    • Time-based One-Time Password (TOTP) authenticator apps, such as Google Authenticator
    • Biometrics (FIDO2)
    • Security keys (FIDO2 and U2F)
    • Push notifications through mobile apps built with the PingOne Mobile SDK
    • Authentication codes
  • Adds authentication methods for users in PingOne:
    • Can automatically and silently add SMS, voice, and email authentication methods when a new user signs on
    • Allows users to manually add additional SMS, voice, email, TOTP, and FIDO2 authentication methods or remove existing ones
    • Allows users to select a default authentication method
    • Prompts users to set up MFA if they don't have any existing authentication methods

    The PingOne MFA IdP Adapter can add and remove authentication methods and set a default method, but it cannot update a method's nickname.

    If you want to synchronize authentication methods and other user attributes, use the PingOne Connector provided in the PingOne Integration Kit.

  • Supports the following transaction flows:
    • Multi-factor authentication
    • Transaction approvals
    • Client-initiated backchannel (CIBA) authentication
  • Supports the PingFederate Authentication API
  • Supports the JavaScript Widget for the PingFederate Authentication API


PingOne MFA IdP Adapter
Allows PingFederate to use PingOne MFA to trigger an MFA challenge during sign on.
Allow the adapter to request OTPs from the user and show the status of the authentication request.

Allow you to modify the appearance of pages shown to the user during authentication.

Language packs
Allow you to customize or localize the messages returned by the PingFederate authentication API and shown on the templates during authentication. For help, see Localizing messages for end users in the PingFederate documentation.
PingOne MFA CIBA Authenticator
Allows PingFederate to use PingOne MFA to prompt users to approve or deny Client Initiated Backchannel Authentication (CIBA) requests. This authenticator can be used independently from the PingOne MFA IdP Adapter.

Intended audience

This document is intended for PingFederate administrators.

If you need help during the setup process, see the following resources:

System requirements

  • PingFederate 10.0 or later
  • To allow PingFederate to make outbound HTTPS connections, you might need to allow the following host names in your firewall:
    • https://api.pingone.com, https://api.pingone.asia, or https://api.pingone.eu
    • https://auth.pingone.com, https://auth.pingone.asia, or https://auth.pingone.eu
  • PingOne requirements:
    • A PingOne MFA license

      If you don't have a license, you can Try Ping for Free.

    • A PingOne user account
      • MFA must be enabled for the user
      • The user must have at least one authentication method added

      For help managing users and devices in PingOne MFA, see Getting Started with PingOne MFA.

      To enable user provisioning and offline device pairing from PingFederate, set up the PingOne Integration Kit.

  • A mobile app built with the PingOne Mobile SDK, required only for the following:
    • Pairing new devices
    • Push authentication challenges for MFA
    • Push authentication challenges for CIBA requests