Page created: 3 Jun 2020
|
Page updated: 10 Dec 2021
Create and configure a Client-Initiated Backchannel Authentication (CIBA) Authenticator for PingID SDK.
This procedure describes the process of creating and configuring a Client Initiated Backchannel Authentication (CIBA) Authenticator for the purpose of authenticating users via an out-of-band authentication method.
Prerequisites:
- PingFederate 9.3+
- PingID SDK Package v1.10+ (comprising PingID SDK Integration Kit v1.7+ and PingID SDK Adapter for PingFederate v1.6+)
Note:
- The PingID SDK CIBA Authenticator supports mobile devices only.
- The PingID SDK CIBA Authenticator is part of the PingID SDK integration with PingFederate, but is not part of the PingID SDK Adapter for PingFederate.
- The CIBA configuration for PingID SDK assumes that a user has at least one mobile device.
- A push notification is sent to the user's primary device. If the user's primary device is not a mobile, the push notification is sent to their first enabled mobile device.
- If an authenticating device is bypassed or pushless, that device is ignored.
- The admin console UI menu labels presented in this topic are those used in PingFederate 9.3. These may differ slightly from other versions of PingFederate.
(Optional) Configuring a dynamic notification push category or dynamic application ID
CIBA authenticators support dynamic notification push categories and dynamic application IDs, and their configurations are similar.
- Dynamic notification push categories
- A CIBA authenticator can receive a notification push category as a
dynamic attribute. This enables a single CIBA authenticator to work with
multiple categories, and submit push notifications according to
categories.Note:Dynamic notification push category configuration requires the following software versions:
- PingFederate 9.3+
- PingID SDK Package v1.13+ comprising:
- PingID SDK Integration Kit v1.9+
- PingID SDK Adapter for PingFederate v1.8+
- PingID SDK CIBA Authenticator 1.1+
- Dynamic application IDs
- A CIBA authenticator can receive an application ID as a dynamic
attribute. This enables a single CIBA authenticator to work with
multiple applications. The dynamic application ID overwrites the default
application ID value (see APPLICATION ID configuration above). If the
CIBA authenticator receives an invalid or non-existent application ID,
an error is generated.Note:Dynamic application ID configuration requires the following software versions:
- PingFederate 9.3+
- PingID SDK Package v1.14.4+ comprising:
- PingID SDK Integration Kit v1.11+
- PingID SDK Adapter for PingFederate v1.8.1+
- PingID SDK CIBA Authenticator 1.1.1+