Field descriptions for the PingOne MFA IdP Adapter configuration screen.
| Field | Description |
|---|---|
|
PingOne Environment |
For PingFederate 10.2 and later. Select the PingOne connection that you created in Connecting PingFederate to PingOne. This field is blank by default. |
|
PingOne Population |
For PingFederate 10.2 and later. If a user does not already exist in PingOne, the adapter provisions the user to this PingOne population. Applies only when Provision Users is selected. This list is populated after you select the PingOne Environment. This field is blank by default. |
|
Application |
For PingFederate 10.2 and later. The PingOne application that you created in Creating an OIDC application in PingOne.This list is populated after you select the PingOne Environment and PingOne Population. This field is blank by default. |
|
Environment ID |
For PingFederate 10.1 and earlier. The environment ID that you noted in Connecting PingFederate to PingOne. This field is blank by default. |
|
Region |
For PingFederate 10.1 and earlier. Determines the PingOne API that the adapter communicates with. Select the region that appears on in PingOne. |
|
Application Client ID |
For PingFederate 10.1 and earlier. The client ID that you noted in Creating an OIDC application in PingOne. This field is blank by default. |
|
Application Client Secret |
For PingFederate 10.1 and earlier. The client ID that you noted in Creating an OIDC application in PingOne. This field is blank by default. |
|
PingFederate Connection Client ID |
For PingFederate 10.1 and earlier. The client ID that you noted in Connecting PingFederate to PingOne. This is required for automatic device pairing. This field is blank by default. |
|
PingFederate Connection Client Secret |
For PingFederate 10.1 and earlier. The client secret that you noted in Connecting PingFederate to PingOne. This is required for automatic device pairing. This field is blank by default. |
|
Population ID |
For PingFederate 10.1 and earlier. If a user does not already exist in PingOne, the adapter provisions the user to this PingOne population. Your population ID appears on in PingOne. Applies only when Provision Users is selected. This field is blank by default. |
|
PingOne Authentication Policy |
The policy name that you chose in Creating an MFA authentication policy in PingOne. This overrides any policy named in the requested authentication context. You can enter multiple policy names by separating them with a space. For example, employees contractors. These must all be "MFA-only" policies, as described in Creating an MFA authentication policy in PingOne. The adapter maps this value to the acr_values parameter of the PingOne OIDC request. When this field is blank, the adapter does the following:
This field is blank by default. |
|
PingOne Registration Policy |
The name of the PingOne MFA policy that you want to use for device pairing. You can only configure one MFA policy as the registration policy. If this field is left blank, the adapter uses the default MFA policy. This field is blank by default. Important:
Your registration policy can use an MFA policy with different requirements than the MFA policy or policies that the PingOne Authentication Policy uses, so make sure to set up MFA policies that are compatible with each other. For example, if you use an MFA policy for authentication that requires offline devices and an MFA policy for registration that requires FIDO-compliant mobile devices, you wouldn't be able to pair any of the device types required for authentication through your registration policy. If this were the case, you could still set up the device types that you require for authentication through device provisioning. However, you would not be able to use any of your paired devices for authentication. |
| Field | Description |
|---|---|
|
Test Username |
The PingOne username that the adapter uses to test the PingOne MFA connection on the Actions tab. Enter the username for a user that has a paired device and MFA enabled in PingOne. This field is blank by default. |
|
Notification Template Variant Override |
Overrides the notification template variant that the adapter sends to
PingOne for
authentication and transaction approval flows. The adapter ignores
any Enter the name of the template variant. For example, if you have a PingOne "transaction" template variant called "money-transfer", enter money-transfer. This field is blank by default. |
|
HTML Template Prefix |
Identifies the set of HTML templates that the adapter uses to show the authentication status or request a one-time password. If you customize the template file names in the /server/default/conf/template directory, enter the new prefix here. For a description of the template files, see Download manifest. The default value is |
|
Messages Files |
Identifies the customizable language-pack file that the adapter uses to show messages on the templates. If you customize the pingone-mfa-messages.properties file name in the /server/default/conf/language-packs directory, enter the new name here. The default value is |
|
Prompt Users to Set Up MFA |
Determines whether users with no authentication methods are prompted to add one. Select this if you are Enabling the MFA setup prompt. This check box is cleared by default. |
|
Allow Users to Skip MFA Setup |
Determines whether the MFA setup prompt includes a Skip option. Consider selecting this if you are Enabling the MFA setup prompt. This allows the user to sign on without setting up MFA. This check box is cleared by default. |
|
Allow Users to Manage Additional Authentication Methods |
Determines whether users can add an additional authentication method or remove an existing one during sign on. The user must sign on with their existing authentication method first. This check box is cleared by default. |
|
Allow only predefined values for phone or email devices |
This option allows you to limit the values to the email addresses and phone numbers stored for the user. If you enable the option, the relevant email address or phone number is already filled in when the user tries to add a device, and the user cannot modify the address/phone number. |
|
Provision Users |
If a user does not already exist in PingOne, the adapter provisions the user to PingOne. |
|
Provision Authentication Methods |
Determines whether the adapter adds authentication methods based on the user's SMS Attribute, Voice Attribute, and Email Attribute values. |
|
Update Authentication Methods |
This setting allows the adapter to automatically add new authentication methods for existing users. Consider selecting this if you are Enabling user and authentication method provisioning. During sign on, the adapter compares the user's authentication methods in PingOne to the user's SMS Attribute, Voice Attribute, and Email Attribute values in the PingFederate authentication policy. If any new values are available for the user, the adapter adds them as authentication methods in PingOne. Attention:
The PingOne MFA IdP Adapter only adds authentication methods to PingOne. If you want to synchronize authentication methods and other user attributes, use the PingOne Connector provided in the PingOne Integration Kit. This check box is selected by default. |
|
Overwrite Authentication Methods |
When selected, the user’s existing methods are overwritten. Applies only when Update Authentication Methods is selected. |
|
Enable Cookie Based Tracking |
When selected, the adapter tracks a previously authenticated FIDO security key or platform device in a cookie so a user is not prompted again. |
|
Enforce Device Selection |
When selected, the user is taken to device selection when attempting authentication to choose which device to authenticate with. Note:
If not selected, the user is taken to the default device configured in PingOne. If a default device has not been configured in PingOne, they are taken to device selection. |
|
Use Password Config Attribute |
Adds a Use Password button to the device selection screen. The Use Password policy action automatically exits the user from the current flow when the user has no device to perform MFA and is not authenticated prior to reaching the adapter. |
|
Bypass MFA For Device Pairing Attribute |
The attribute that determines whether a user has to complete MFA with an
existing device before pairing a new device. The adapter checks for
this attribute in the authentication policy, and if the value is
|
|
Username Attribute |
Determines the username for users provisioned to PingOne. This is used when Enabling user and authentication method provisioning. If you identify users based on their PingOne username, leave this field blank. New users are named based on the "incoming user ID" set for the adapter in your PingFederate authentication policy. If you identify users based on their PingOne user ID, enter the name of an authentication policy attribute. New users are named based on the attribute instead of the "incoming user ID". Tip: This relates to step 5 in Adding PingOne MFA to your authentication policy.
Applies only when Provision Users is selected. This field is blank by default. |
|
SMS Attribute |
This is used when Enabling user and authentication method provisioning. When provisioning users or updating a user's authentication methods, the adapter checks for phone numbers in each attribute that begins with this prefix. The adapter adds these phone numbers as SMS authentication methods in PingOne MFA. For example, in the PingFederate authentication policy, a user has three phone numbers in
the following attributes:
You can also provide multiple values in a single attribute. Enter the attribute name in this field. The adapter adds all values as separate SMS authentication methods, up to the maximum number of methods. If ordering is enabled in PingOne MFA, the adapter orders
authentication methods as follows:
Applies only when Update Authentication Methods is selected. The default value is |
|
Voice Attribute |
This is used when Enabling user and authentication method provisioning. When provisioning users or updating a user's authentication methods, the adapter checks for phone numbers in each attribute that begins with this prefix. The adapter adds these phone numbers as voice authentication methods in PingOne MFA. Follows the same general behavior as the SMS Attribute field.Applies only when Update Authentication Methods is selected. The default value is
|
|
Email Attribute |
This is used when Enabling user and authentication method provisioning. When provisioning users or updating a user's authentication methods, the adapter checks for email addresses in each attribute that begins with this prefix. The adapter adds these email addresses as authentication methods in PingOne MFA. Follows the same general behavior as the SMS Attribute field. Applies only when Update Authentication Methods is selected. The default value is |
|
Application ID for Authentication Code Flow |
The application ID to use for authentication code based flow. |
|
Default Authentication Method for Provisioned Users |
This is used when Enabling user and authentication method provisioning. When provisioning a new user to PingOne, the adapter sets the user's default authentication method based on this setting. For example, when set to SMS, the adapter
checks for attributes according to the SMS
Attribute field. The first matching attribute, such
as Applies only when Update Authentication Methods is selected. Note: See a related entry in Known issues and limitations.
The default selection is |
|
User Not Found Failure Mode |
When a user error occurs in PingOne, this setting determines whether the adapter blocks the user’s sign-on attempt. User errors include the following:
The default selection is |
|
Service Unavailable Failure Mode |
When PingOne does not respond, this setting determines whether the adapter blocks the user’s sign-on attempt. The default selection is |
|
Change Authentication Method |
Determines whether the adapter shows a "back" button that allows a user to select a different authentication method during a sign-on session. If your PingOne authentication policy uses the Being a member of any of these populations or User Attributes requirements, set this to Deny. The features are not compatible. This setting has no effect when the adapter is used through the PingFederate authentication API. The default selection is |
|
Show Success Screens |
Determines whether the adapter shows a success page when the MFA step is successful. This check box is selected by default. |
|
Show Error Screens |
Determines whether the adapter shows an error page when the MFA step generates an error. This check box is selected by default. |
|
Show Timeout Screens |
Determines whether the adapter shows a "timed out" page when the MFA step times out. This check box is selected by default. |
|
Enable Audit Log |
When selected, the adapter logs end-user browser details along with selected authentication method info such as device type, correlation ID, and device nickname in PingFederate's audit log. Note:
This is supported only in PingFederate 10.0 and later. |
|
API Request Timeout |
The amount of time in milliseconds that PingFederate allows when establishing a connection with PingOne MFA or waiting for a response to a request. A value of 0 disables the timeout. Tip:
If you don't want to use the device integrity check, you can decrease this to 5000ms. For details about the device integrity check, see Authentication method management. The default value is |
|
Proxy Settings |
Defines proxy settings for outbound HTTP requests. The default value is System Defaults. |
|
Custom Proxy Host |
The proxy server host name to use when Proxy Settings is set to Custom. This field is blank by default. |
|
Custom Proxy Port |
The proxy server port to use when Proxy Settings is set to Custom. This field is blank by default. |