The PingOne MFA Integration Kit allows PingFederate to use the PingOne MFA service for multi-factor authentication (MFA).
- Supports MFA using the following authentication methods:
- One-time passcodes (OTPs) through SMS, voice call, and email
- Time-based One-Time Password (TOTP) authenticator apps, such as Google Authenticator
- Biometrics (FIDO2)
- Security keys (FIDO2 and U2F)
- Push notifications through mobile apps built with the PingOne Mobile SDK
- Authentication codes
- Adds authentication methods for users in PingOne.
- Can automatically and silently add SMS, voice, and email authentication methods when a new user signs on
- Allows users to manually add additional SMS, voice, email, TOTP, and FIDO2 authentication methods
- Allows users to select a default authentication method
- Prompts users to set up MFA if they don't have any existing authentication methods
The PingOne MFA IdP Adapter can add authentication methods, but it can't remove or update them. If you want to synchronize authentication methods and other user attributes, use the PingOne Connector provided in the PingOne Integration Kit.
- Supports the following transaction flows:
- Multi-factor authentication
- Transaction approvals
- Client-initiated backchannel (CIBA) authentication
- Supports the PingFederate Authentication API
- PingOne MFA IdP Adapter
- Allows PingFederate to use PingOne MFA to trigger an MFA challenge during sign on.
- Allow the adapter to request OTPs from the user and show the status of the
Allow you to modify the appearance of pages shown to the user during authentication.
- Language packs
- Allow you to customize or localize the messages returned by the PingFederate authentication API and shown on the templates during authentication. For help, see Localizing messages for end users in the PingFederate documentation.
- PingOne MFA CIBA Authenticator
- Allows PingFederate to use PingOne MFA to prompt users to approve or deny Client Initiated Backchannel Authentication (CIBA) requests. This authenticator can be used independently from the PingOne MFA IdP Adapter.
This document is intended for PingFederate administrators.
If you need help during the setup process, see the following resources:
- PingOne MFA in the PingOne MFA documentation
- The following sections of the PingFederate documentation:
- PingFederate 10.0 or later
- To allow PingFederate to make outbound HTTPS
connections, you might need to allow the following host names in your
- https://api.pingone.com, https://api.pingone.asia, or https://api.pingone.eu
- https://auth.pingone.com, https://auth.pingone.asia, or https://auth.pingone.eu
- PingOne requirements:
- A PingOne MFA licenseTip:
If you don't have a license, you can Try Ping for Free.
- A PingOne user account
- MFA must be enabled for the user
- The user must have at least one authentication method added
For help managing users and devices in PingOne MFA, see Getting Started with PingOne MFA.
To enable user provisioning and offline device pairing from PingFederate, set up the PingOne Integration Kit.
- A PingOne MFA license
- A mobile app built with the PingOne Mobile SDK, required only for the following:
- Pairing new devices
- Push authentication challenges for MFA
- Push authentication challenges for CIBA requests