With the PingOne MFA Integration Kit, PingFederate includes PingOne MFA in the sign-on flow.
The following figure illustrates a single sign-on (SSO) scenario in which PingFederate authenticates users to an SP application using PingOne MFA.
Description
- The user initiates SSO with PingFederate and completes the first-factor authentication step, such as an HTML Form Adapter instance.
- PingFederate contacts PingOne MFA to initiate the multi-factor authentication challenge.
- PingOne MFA indicates whether the authentication method is a one-time passcode (OTP) or push notification. If the user has more than one device paired, PingOne MFA also provides a list of devices.
- If the user has multiple devices, PingFederate shows the user a list of devices. The user selects a device.
- Depending on the authentication method, one of the following occurs:
- For OTP authentication, PingOne MFA sends the OTP to the user by email or SMS. In the browser, PingFederate shows a form requesting the OTP. The user enters the OTP in the form.
- For push notification, PingOne MFA sends a push notification to the user's mobile app. PingFederate polls the API until PingOne MFA provides the authentication result.
- If the user authenticated successfully, PingFederate provides access to the requested resource. Otherwise, it shows the user an optional page with the reason authentication failed.