When a client makes a Client Initiated Backchannel Authentication (CIBA) request to PingFederate, PingFederate can modify and add to the request information before sending it to PingOne MFA.
The following steps are involved in conveying the CIBA request information from the client application to the request prompt that the user sees on their mobile device.
- The client application sends a CIBA request to PingFederate that includes some request context attributes.
- The CIBA request policy collects attributes from the client request and other attribute sources that you configure, such as a data store.
- The PingOne MFA CIBA Authenticator parses the client request attributes. The authenticator also processes any custom attribute definitions, as described in CIBA prompt customizations.
- The authenticator sends the attributes to PingOne along with information to identify which PingOne notification template to use for the user prompt.
- PingOne uses the attributes from the PingOne MFA CIBA Authenticator to populate the variables in a customizable notification template.
- PingOne sends the notification to the mobile app, which is built with the PingOne Mobile SDK.
- The mobile app show the request prompt to the user to approve or deny.