Creating a CIBA authentication policy in PingOne - PingOne Cloud Platform - PingOne Services - PingOne - PingFederate - PingOne MFA

PingOne MFA Integration Kit

bundle
pingfederate-pingone-mfa-ik
ft:publication_title
PingOne MFA Integration Kit
Product_Version_ce
PingOne Cloud Platform
PingOne Services
PingOne
PingOne MFA
category
Administrator
Audience
ContentType
English
Integration
Language
Product
Productdocumentation
integrationdocx
p1
p1cloudplatform
p1mfax
p1services
pingfederate
ContentType_ce
Product documentation
Integration

Create an MFA authentication policy in PingOne MFA to handle Client Initiated Backchannel Authentication (CIBA) authentication requests.

Tip:

If you already completed the steps in Creating an MFA authentication policy in PingOne, you can skip the steps below and use the same policy for CIBA authentication requests if the policy contains a Mobile Application in the Allowed Authentication Method section. PingOne ignores other authentication methods for CIBA requests.

To create a PingOne authentication policy that you can use for CIBA authentication requests:

  1. In the PingOne MFA console, go to Authentication > Authentication and click + Add Policy.
  2. Enter a unique policy name and note it.
    Remember:

    You will use this name in Configuring a CIBA authenticator instance.

  3. In the Step Type list, select Multi-factor Authentication.
  4. In the MFA Policy list, select an MFA policy that has a Mobile Application configured in the Allowed Authentication Methods section.

    To configure settings for the mobile application attached to the MFA policy:

    1. Select the Native application that you created in Creating an OIDC application in PingOne.
    2. Leave the Auto Enrollment and Device Authorization check boxes cleared.
  5. In the None Or Incompatible Methods section, select a default behavior for cases where the user does not have a valid authentication method set up:
    • Block: If the user doesn't have a valid authentication method set up, MFA fails.
    • Bypass: If the user doesn't have a valid authentication method set up, they continue to the next step as if they completed MFA successfully.
  6. Optional: In the Required When section, configure authentication triggers.

    The None Or Incompatible Methods and Required When sections have no effect on CIBA requests.

  7. Click Save.
  8. Add the policy to your Native application:
    1. In the PingOne MFA console, go to Applications > Applications and expand your application.
    2. On the Policies tab, click + Add Policies or click the Pencil icon, then select the check box for the policy that you created.
    3. Click Save.