Administrators and developers should consider the supported flows when implementing the PingID SDK adapter for PingFederate.

Diagram illustrating the automatic pairing flow between the PingID SDK server, PingFederate, a customer mobile application, PingID SDK component, and the user agent.

Supported use cases and flows

The PingID SDK adapter for PingFederate supports the following use cases:

Automatic device registration (web view)
Automatic mobile device registration when a user initiates a pairing process for a mobile device.
  • This flow only supports the mobile web view. The user is authenticated as part of the PingFederate authentication flow, and after the user is successfully authenticated, control is returned to the mobile application and trust with the PingID SDK server is initiated. The adapter returns control to the mobile application.
  • This flow supports registration of mobile devices.
Device authorization (web view)
A seamless user sign-on to an already trusted mobile application, which includes PingID mobile SDK.
  • This flow only supports sign-on to the mobile application using mobile web view and then returns control to the mobile application.
  • This flow takes the user through the PingID SDK adapter authentication. On successful seamless device authentication, the user is signed on to the application.
QR code authentication
A user scanning a QR code with a trusted mobile device. The major objective of this approach is to permit secure passwordless authentication. The customer server does not need advance knowledge of who the user is. For example, first-factor authentication is not required.
  • The PingFederate PingID SDK adapter displays a QR code image in the web browser.
  • The user scans the QR code with their trusted mobile device, and the mobile application passes it back to the PingID SDK server. QR code-based authentication also supports authentication of multiple users who use the same device.
  • The PingID SDK server validates the QR code.
  • If the QR code is valid, the user is approved and authentication is completed.
  • If extra verification is required, a silent push is sent to verify the device. In addition, a user approval message can also be sent to the user for additional user confirmation.
Out-of-band / step up authentication from web
during user sign-on to a web application.
  • Signing on through a web browser initiates PingFederate first-factor authentication. Since it is web based, no payload is sent to the PingID SDK server.
  • All of the PingID SDK authentication methods are supported: mobile SDK, SMS, voice, and email.
  • After successful first factor authentication, the adapter directs the PingID SDK server to send a push notification, SMS, voice message, or email to the authenticating device.
  • An application development design consideration would be to permit SMS, voice, and email device registration although not using PingFederate.
Out-of -and / step up authentication from mobile
MFA during user sign-on to a non-trusted mobile device, using the user's primary device for the approval process.
  • This flow supports pairing of new mobile devices only. Mobile, SMS, voice, and email devices can be used for approving the new device pairing.
  • The PingID SDK server sends an authentication request to the primary device, either as a push notification for a mobile device or a for SMS, voice, or email. The PingID SDK adapter returns a success or failure status.
  • This flow is relevant only when Additional Trusted Devices is configured to Verify New Devices with Primary Device. In cases where Additional Trusted Devices is configured to Pair Each Device Individually, the Automatic device registration flow is performed every time a user tries to pair an additional device.
Transaction approval
Transaction approval, also known as step-up authentication, is elevated security for a high-value or high-risk resource or service, within the particular context of an application. This requires authentication using a higher assurance credential than previously required for general access of the application.

In some applications, do not use the second-factor authentication capabilities during the sign-on process. Instead, activate it during certain user actions, such as a payments or bank transfers. These actions are called transaction approvals because they elevate the user’s security context only when required by the business logic.

PingID SDK enables the developer to incorporate transaction approval flows and authentications into native applications quickly and easily. Transaction approvals rely on context-related information as part of the authentication. The context-related information is implemented using the dynamic parameters feature of the PingID SDK adapter for PingFederate. The native application can use it to show the transaction information or to display different behavior during the authentication.

CIBA authenticator

Out-of-band MFA using a trusted mobile device as a authenticator.

The accessing device initiates the authentication request. The authentication request is sent to a trusted mobile device for authentication, without the need for an additional redirect to PingFederate. The request is received by PingID SDK on the mobile device, and PingID SDK returns a success or failure status.

Note:

The PingID SDK CIBA authenticator supports mobile devices only.

PingFederate Authentication API

Enables integration with the PingFederate Authentication API for end-user interactions, for step-up authentication and transaction approval. Additionally, it supports mobile device initiated flows such as mobile device registration and seamless device authorization. The PingFederate Authentication API provides access to the current state of the flow as an end user steps through a PingFederate authentication policy.