By modifying your PingFederate authentication policy to include the PingOne MFA IdP Adapter, you can challenge users to complete a multi-factor authentication (MFA) step.
These steps are designed to help you add to an existing authentication policy. For general information about configuring authentication policies, see Authentication Policies in the PingFederate documentation.
In the PingFederate administrative console, go to the
- For PingFederate 10.1 or later: go to .
- For PingFederate 10.0 or earlier: go to .
- Select the IdP Authentication Policies check box.
- Open an existing authentication policy, or click Add Policy. See Defining authentication policies in the PingFederate documentation.
In the Policy area, from the
Select list, select a PingOne MFA IdP Adapter
Map the PingOne user ID or username into the PingOne MFA IdP Adapter instance.
- Under the PingOne MFA IdP Adapter instance, click Options.
On the Options dialog, from the
Source list, select a previous authentication
source that collects the PingOne user ID or
If you left the Username Attribute field blank in your PingOne MFA IdP Adapter configuration, the adapter also uses this value as the username when provisioning new users to PingOne.
- From the Attribute list, select the user ID. Click Done.
Select the User ID Authenticated check
The User ID Authenticated check box indicates whether the mapped user ID has been authenticated by the authentication source and therefore can be trusted by the current adapter. Device management options are limited if the user is not authenticated.
Define policy paths based on the
- Under the PingOne MFA IdP Adapter instance, click Rules.
- On the Rules dialog, in the Attribute Name list, select pingone.mfa.status or pingone.mfa.status.reason.
- In the Condition list, select equal to.
- In the Value field, enter a value from PingOne MFA status attributes reference.
- In the Result field, enter a name. This appears as a new policy path that branches from the authentication source.
- If you want to add more authentication paths, click Add and repeat steps a-e.
- Click Done.
Configure each of the authentication paths.
- Click Done.
If you want to enable automatic device pairing, add the mobile payload
attribute as a tracked HTTP parameter.
- Go to the Tracked HTTP Parameters tab.
- In the Parameter Name field, enter mobilePayload.
- Click Add.
- Click Save.