PingID offline multi-factor authorization (MFA) supports storage of user authentication device details according to different user directory deployments.
User directory
PingID offline MFA can access device information stored in the directory's user object, or in a directory object separate from the user object, either in the same directory as the user object, or in a different directory.
The PingID offline MFA feature is designed to work with directories from several vendors, including Active Directory, Oracle Directory, and Ping Directory.
Directory setup scripts are provided for Active Directory as part of the PingID Integration Kit 2.0 and later. You must configure other directories manually.
For more information on directory configuration, see Installing the PingID Integration Kit for PingFederate.
Scripts provided in the PingID Integration Kit 2.0 or later add the following attributes to the directory:
pf-pingid-state
- The
pf-pingid-state
attribute holds the authentication state of the user during offline MFA. pf-pingid-local-fallback
- The
pf-pingid-local-fallback
attribute holds the user's authentication devices list information.
Priority of parameter settings during the flow of PingID offline MFA
- If the Authentication During Errors parameter is set to
Bypass or Block, the user's
state
attribute is ignored during offline authentication. All users will either bypass PingID offline MFA or be blocked from authenticating, according to the Authentication During Errors setting. - If the Authentication During Errors parameter is set to
Passive or Enforce, PingFederate checks the user's
state
attribute.- The user's
state
attribute is empty: - If the user has a paired mobile device, the flow proceeds to offline MFA.
- The user's
state
attribute is set to Bypass - The user will bypass PingID offline MFA.
- The user's
state
attribute is set to Block - The user is blocked from authenticating.
- The user's