Adding PingOne MFA to your authentication policy - PingOne Cloud Platform - PingOne Services - PingOne - PingFederate - PingOne MFA

PingOne MFA Integration Kit

bundle
pingfederate-pingone-mfa-ik
ft:publication_title
PingOne MFA Integration Kit
Product_Version_ce
PingOne Cloud Platform
PingOne Services
PingOne
PingOne MFA
category
Administrator
Audience
ContentType
English
Integration
Language
Product
Productdocumentation
integrationdocx
p1
p1cloudplatform
p1mfax
p1services
pingfederate
ContentType_ce
Product documentation
Integration

By modifying your PingFederate authentication policy to include the PingOne MFA IdP Adapter, you can challenge users to complete a multi-factor authentication (MFA) step.

These steps are designed to help you add to an existing authentication policy. For general information about configuring authentication policies, see Authentication Policies in the PingFederate documentation.

  1. In the PingFederate administrative console, go to the Policies tab.
    • For PingFederate 10.1 or later: go to Authentication > Policies > Policies.
    • For PingFederate 10.0 or earlier: go to Identity Provider > Authentication Policies > Policies.
  2. Select the IdP Authentication Policies check box.
  3. Open an existing authentication policy, or click Add Policy. See Defining authentication policies in the PingFederate documentation.
  4. In the Policy area, from the Select list, select a PingOne MFA IdP Adapter instance.


    Adding the PingOne MFA IdP Adapter to the authentication policy
  5. Map the PingOne user ID or username into the PingOne MFA IdP Adapter instance.
    Passing the user ID from the first-factor authentication adapter to the PingOne MFA IdP Adapter
    1. Under the PingOne MFA IdP Adapter instance, click Options.
    2. On the Options dialog, from the Source list, select a previous authentication source that collects the PingOne user ID or username.
      Attention:

      If you left the Username Attribute field blank in your PingOne MFA IdP Adapter configuration, the adapter also uses this value as the username when provisioning new users to PingOne.

    3. From the Attribute list, select the user ID. Click Done.
    4. Optional: Select the User ID Authenticated check box.
      Note:

      The User ID Authenticated check box indicates whether the mapped user ID has been authenticated by the authentication source and therefore can be trusted by the current adapter. Device management options are limited if the user is not authenticated.

  6. Optional: Define policy paths based on the pingone.mfa.status or pingone.mfa.status.reason attributes.

    Branching the authentication policy based on the pingone.mfa.status attribute.
    1. Under the PingOne MFA IdP Adapter instance, click Rules.
    2. On the Rules dialog, in the Attribute Name list, select pingone.mfa.status or pingone.mfa.status.reason.
    3. In the Condition list, select equal to.
    4. In the Value field, enter a value from PingOne MFA status attributes reference.
    5. In the Result field, enter a name. This appears as a new policy path that branches from the authentication source.
    6. If you want to add more authentication paths, click Add and repeat steps a-e.
    7. Click Done.
  7. Configure each of the authentication paths.


    The complete authentication policy
  8. Click Done.
  9. If you want to enable automatic device pairing, add the mobile payload attribute as a tracked HTTP parameter.
    1. Go to the Tracked HTTP Parameters tab.
    2. In the Parameter Name field, enter mobilePayload.
    3. Click Add.
    4. Click Save.