The PingID SDK adapter for PingFederate permits the option to replace the customer server with PingFederate for pairing and authenticating a user.
Administrators and developers should consider the supported flows when implementing the PingID SDK adapter for PingFederate.
Supported use cases and flows
The PingID SDK adapter for PingFederate supports the following use cases:
- Automatic device registration (web view)
- Automatic mobile device registration when a user initiates a pairing process for
a mobile device.
- This flow only supports the mobile web view. The user is authenticated as part of PingFederate authentication flow, and after the user is successfully authenticated, control is returned to the mobile application and trust with PingID SDK server is initiated. The adapter returns control to the mobile application.
- This flow supports registration of mobile devices.
- Device authorization (web view)
- A seamless user sign-on to an already trusted mobile application which includes
PingID mobile SDK.
- This flow only supports sign-on to the mobile application using mobile web view and then returns control to the mobile application.
- This flow takes the user through the PingID SDK adapter authentication. On successful seamless device authentication, the user is signed on to the application.
- QR code authentication
- A user scanning a QR code with a trusted mobile device. The major objective of
this approach is to permit secure passwordless authentication. The customer server
does not need advance knowledge of who the user is. For example, first factor
authentication is not required.
- The PingFederate PingID SDK adapter displays a QR code image in the web browser.
- The user scans the QR code with their trusted mobile device, and the mobile application passes it back to the PingID SDK server. QR code-based authentication also supports authentication of multiple users who use the same device.
- The PingID SDK server validates the QR code.
- If the QR code is valid, the user is approved and authentication is completed.
- If extra verification is required, a silent push is sent to verify the device. In addition, a user approval message can also be sent to the user for additional user confirmation.
- Out-of-band / step up authentication from web
- Multi-factor authentication (MFA) during user sign-on to a web application.
- Signing on through a web browser initiates PingFederate first factor authentication. Since it is web based, no payload is sent to PingID SDK server.
- All of the PingID SDK authentication methods are supported: mobile SDK, SMS, voice, and email.
- After successful first factor authentication, the adapter directs the PingID SDK server to send a push notification, SMS, voice message, or email to the authenticating device.
- An application development design consideration would be to permit SMS, voice, and email device registration although not using PingFederate.
- Out-of -and / step up authentication from mobile
- MFA during user sign-on to a non-trusted mobile device, using the user's primary
device for the approval process.
- This flow supports pairing of new mobile devices only. Mobile, SMS, voice, and email devices can be used for approving the new device pairing.
- The PingID SDK server sends an authentication request to the primary device, either as a push notification for a mobile device or a one-time passcode (OTP) for SMS, voice, or email. The PingID SDK adapter returns a success or failure status.
- This flow is relevant only when Additional Trusted Devices is configured to Verify New Devices with Primary Device. In cases where Additional Trusted Devices is configured to Pair Each Device Individually, the Automatic device registration flow is performed every time a user tries to pair an additional device.
- Transaction approval
- Transaction approval, also known as step up authentication, is elevated security
for a high-value or high-risk resource or service, within the particular context
of an application. This requires authentication using a higher assurance
credential than previously required for general access of the application.
In some applications, do not use the second factor authentication capabilities during the sign-on process. Instead, activate it during certain user actions, such as a payments or bank transfers. These actions are called transaction approvals because they elevate the user’s security context only when required by the business logic.
PingID SDK enables the developer to incorporate transaction approval flows and authentications into native applications quickly and easily. Transaction approvals rely on context-related information as part of the authentication. The context-related information is implemented using the dynamic parameters feature of the PingID SDK adapter for PingFederate. The native application can use it to show the transaction information or to display different behavior during the authentication.
- CIBA authenticator
Out-of-band MFA using a trusted mobile device as a Client Initiated Backchannel Authentication (CIBA) authenticator.
The accessing device initiates the authentication request. The authentication request is sent to a trusted mobile device for authentication, without the need for an additional redirect to PingFederate. The request is received by PingID SDK on the mobile device, and PingID SDK returns a success or failure statusNote:
The PingID SDK CIBA authenticator supports mobile devices only.
- PingFederate Authentication API
Enables integration with the PingFederate Authentication API for end-user interactions, for step-up authentication and transaction approval. Additionally, it supports mobile device initiated flows such as mobile device registration and seamless device authorization. The PingFederate Authentication API provides access to the current state of the flow as an end user steps through a PingFederate authentication policy.