The following figure illustrates a single sign-on (SSO) scenario in which PingFederate authenticates users to an SP application using PingOne MFA.

The PingFederate sign-on flow including the PingOne MFA IdP Adapter


  1. The user initiates SSO with PingFederate and completes the first-factor authentication step, such as an HTML Form Adapter instance.
  2. PingFederate contacts PingOne MFA to initiate the multi-factor authentication challenge.
  3. PingOne MFA indicates whether the authentication method is a one-time passcode (OTP) or push notification. If the user has more than one device paired, PingOne MFA also provides a list of devices.
  4. If the user has multiple devices, PingFederate shows the user a list of devices. The user selects a device.
  5. Depending on the authentication method, one of the following occurs:
    • For OTP authentication, PingOne MFA sends the OTP to the user by email or SMS. In the browser, PingFederate shows a form requesting the OTP. The user enters the OTP in the form.
    • For push notification, PingOne MFA sends a push notification to the user's mobile app. PingFederate polls the API until PingOne MFA provides the authentication result.
  6. If the user authenticated successfully, PingFederate provides access to the requested resource. Otherwise, it shows the user an optional page with the reason authentication failed.