Setting up an authentication flow that includes MFA (PingFederate and PingID)

In the PingFederate administrative console, go to System → Data & Credential Stores → Password Credential Validators, and click Create New Instance.

On the Type tab, from the Type list, select Simple Username Password Credential Validator. Complete the remaining required fields, and then click Next.

On the Instance Configuration tab, click Add a New Row to 'Users'. Complete the Username, Password, and Confirm Password fields, and then click Update.

Click Next, and then on the Summary tab, click Done.

In the Password Credential Validators window, click Save.

Go to Authentication → Integration → IdP Adapters and click Create New Instance.

On the Type tab, from the Type list, select HTML Form IdP Adapter. Complete the remaining required fields, and then click Next.

On the IdP Adapter tab, from the Password Credential Validator list, select the PCV you previously created. Click Update.

Click Next until you reach the Adapter Attributes tab.

On the Adapter Attributes tab, select the Pseudonym check box for the username entry. Click Next until you reach the Summary tab.

On the Summary tab, click Done.

In the Manage IdP Adapter Instances window, click Save.

In the PingOne for Enterprise admin portal, go to Setup → PingID → Client Integration.

In the Integrate with PingFederate and Other Clients section, click Download.

In the PingFederate administrative console, go to Authentication → Integration → IdP Adapters and click Create New Instance.

On the Type tab, from the Type list, select PingID Adapter 2.6. Complete the remaining required fields, and then click Next.

On the IdP Adapter tab, click Choose File. Select the pingid.properties file, and then click Next.

Click Next until you reach the Adapter Attributes tab.

On the Adapter Attributes tab, select the Pseudonym check box for the subject entry. Click Next.

Click Next until you reach the Summary tab, and then click Done.

In the Manage IdP Adapter Instances window, click Save.

Go to Authentication → Policies → Policy Contracts and click Create New Contract.

On the Contract Info tab, in the Contract Name field, enter a name.

Click Next until you reach the Summary tab, and then click Done.

In the Authentication Policy Contracts window, click Save.

Go to Applications → Integration → SP Connections and click Create Connection.

Click Next until you reach the Connection Type tab.

On the Connection Type tab, select the Browser SSO Profiles check box. Click Next until you reach the General Info tab.

On the General Info tab, in the Partner’s Entity ID field, enter a dummy entity ID. In the Connection Name field, enter a name, and then click Next.

On the Browser SSO tab, click Configure Browser SSO.

On the SAML Profiles tab, select the IdP-Initiated SSO check box only. Click Next until you reach the Assertion Creation tab.

On the Assertion Creation tab, click Configure Assertion Creation. Click Next until you reach the Authentication Source Mapping tab.

On the Authentication Source Mapping tab, click Map New Authentication Policy.

On the Authentication Policy Contract tab, from the Authentication Policy Contract list, select your policy contract. Click Next until you reach the Attribute Contract Fulfillment tab.

On the Attribute Contract Fulfillment tab, from the Source list for the SAML_SUBJECT entry, select Authentication Policy Contract. From the Value list, select subject.

Click Next and Done until you reach the Protocol Settings tab. Click Configure Protocol Settings.

On the Assertion Consumer Service URL tab, enter a number in the Index field. From the Binding list, select POST. In the Endpoint URL field, enter a dummy URL, then click Add.

Click Next and Done until you reach the Credentials tab. Click Configure Credentials.

On the Digital Signature Settings tab, from the Signing Certificate list, select a signing certificate.

Click Next and Done until you reach the Activation & Summary tab. Click Save.

In the SP Connections window, click Save.

Go to Authentication → Policies → Selectors and click Create New Instance.

On the Type tab, from the Type list, select Connection Set Authentication Selector. Complete the remaining required fields, and then click Next.

On the Authentication Selector tab, click Add a New Row to 'Connections'. From the Connection list, select your SP connection. Click Update and then Next.

On the Summary tab, click Done. In the Manage Authentication Selector Instances window, click Save.

Go to Authentication → Policies → Policies and click Add Policy.

In the Name field, enter a name for the policy.

In the Policy list, from the list, select Selectors.

From the ID column, select the selector from step 7.

Beneath the No list, click Continue.

From the Yes list, select the HTML adapter from step 2.

Beneath the Fail list, click Done.

From the Success list, select the PingID Adapter from step 4.

Beneath your PingID Adapter instance, click Options.

In the Incoming User ID window, from the Source list, select the HTML adapter from step 2. From the Attribute list, select username.

Beneath the Fail list, click Done.

From the Success list, select the policy contract from step 5.

Click Contract Mapping.

On the Contract Fulfillment tab, from the Source list, select your HTML adapter. From the Value list, select username.

Click Next until you reach the Summary tab, and then click Done.

Click Done and then in the Authentication Policies window, click Save.

In PingFederate, go to Applications → Integration → SP Connections, and click your SP connection.

On the Activation & Summary tab, verify that the green toggle switch is selected. Click the SSO Application Endpoint link.

Sign on as a user with the credentials created in step 1c.

Result: