---
title: Setting up an authentication flow that includes MFA (PingFederate and PingID)
description: This configuration creates a service provider (SP) connection with a multi-factor authentication (MFA) flow using PingFederate and PingID.
component: solution-guides
page_id: solution-guides:workforce_use_cases:htg_set_up_authn_flow_mfa_pf_pid
canonical_url: https://docs.pingidentity.com/solution-guides/workforce_use_cases/htg_set_up_authn_flow_mfa_pf_pid.html
revdate: April 14, 2025
page_aliases: ["workforce_use_cases:htg_set_up_authn_flow_mfa_pf_pid_pcv_pf.adoc", "workforce_use_cases:htg_set_up_authn_flow_mfa_pf_pid_html_adapter_pcv.adoc", "workforce_use_cases:htg_set_up_authn_flow_mfa_pf_pid_download_props.adoc", "workforce_use_cases:htg_set_up_authn_flow_mfa_pf_pid_adapter.adoc", "workforce_use_cases:htg_set_up_authn_flow_mfa_pf_pid_authn_policy_contract.adoc", "workforce_use_cases:htg_set_up_authn_flow_mfa_pf_pid_sp_connection.adoc", "workforce_use_cases:htg_set_up_authn_flow_mfa_pf_pid_authn_selector.adoc", "workforce_use_cases:htg_set_up_authn_pid_pf_create_policy.adoc", "workforce_use_cases:htg_set_up_authn_flow_mfa_pf_pid_testing.adoc"]
section_ids:
  components: Components
  creating-a-password-credential-validator-in-pingfederate: Creating a password credential validator in PingFederate
  steps: Steps
  creating-an-html-adapter-that-uses-the-pcv: Creating an HTML adapter that uses the PCV
  steps-2: Steps
  downloading-the-pingid-properties-file-in-pingone-for-enterprise: Downloading the pingid.properties file in PingOne for Enterprise
  steps-3: Steps
  creating-a-pingid-adapter-in-pingfederate: Creating a PingID adapter in PingFederate
  steps-4: Steps
  creating-an-authentication-policy-contract: Creating an authentication policy contract
  steps-5: Steps
  creating-an-sp-connection: Creating an SP connection
  steps-6: Steps
  creating-an-authentication-selector: Creating an authentication selector
  steps-7: Steps
  creating-an-authentication-policy: Creating an authentication policy
  steps-8: Steps
  testing-your-connection: Testing your connection
  steps-9: Steps
  result: Result:
---

# Setting up an authentication flow that includes MFA (PingFederate and PingID)

This configuration creates a service provider (SP) connection with a multi-factor authentication (MFA) flow using PingFederate and PingID.

## Components

* PingFederate 10.1

* PingID

## Creating a password credential validator in PingFederate

### Steps

1. In the PingFederate administrative console, go to **System > Data & Credential Stores > Password Credential Validators**, and click **Create New Instance**.

2. On the **Type** tab, in the **Type** list, select **Simple Username Password Credential Validator**. Complete the remaining required fields, and then click **Next**.

3. On the **Instance Configuration** tab, click **Add a New Row to 'Users'**. Complete the **Username**, **Password**, and **Confirm Password** fields, and then click **Update**.

4. Click **Next**, and then on the **Summary** tab, click **Done**.

5. In the **Password Credential Validators** window, click **Save**.

## Creating an HTML adapter that uses the PCV

### Steps

1. Go to **Authentication > Integration > IdP Adapters** and click **Create New Instance**.

2. On the **Type** tab, in the **Type** list, select **HTML Form IdP Adapter**. Complete the remaining required fields, and then click **Next**.

3. On the **IdP Adapter** tab, in the **Password Credential Validator** list, select the PCV you previously created. Click **Update**.

4. Click **Next** until you reach the **Adapter Attributes** tab.

5. On the **Adapter Attributes** tab, select the **Pseudonym** checkbox for the `username` entry. Click **Next** until you reach the **Summary** tab.

6. On the **Summary** tab, click **Done**.

7. In the **Manage IdP Adapter Instances** window, click **Save**.

## Downloading the pingid.properties file in PingOne for Enterprise

### Steps

1. In the PingOne for Enterprise admin portal, go to **Setup > PingID > Client Integration**.

2. In the **Integrate with PingFederate and Other Clients** section, click **Download**.

## Creating a PingID adapter in PingFederate

### Steps

1. In the PingFederate administrative console, go to **Authentication > Integration > IdP Adapters** and click **Create New Instance**.

2. On the **Type** tab, in the **Type** list, select **PingID Adapter 2.6**. Complete the remaining required fields, and then click **Next**.

3. On the **IdP Adapter** tab, click **Choose File**. Select the `pingid.properties` file, and then click **Next**.

4. Click **Next** until you reach the **Adapter Attributes** tab.

5. On the **Adapter Attributes** tab, select the **Pseudonym** checkbox for the `subject` entry. Click **Next**.

6. Click **Next** until you reach the **Summary** tab, and then click **Done**.

7. In the **Manage IdP Adapter Instances** window, click **Save**.

## Creating an authentication policy contract

### Steps

1. Go to **Authentication > Policies > Policy Contracts** and click **Create New Contract**.

2. On the **Contract Info** tab, in the **Contract Name** field, enter a name.

3. Click **Next** until you reach the **Summary** tab, and then click **Done**.

4. In the **Authentication Policy Contracts** window, click **Save**.

## Creating an SP connection

### Steps

1. Go to **Applications > Integration > SP Connections** and click **Create Connection**.

2. Click **Next** until you reach the **Connection Type** tab.

3. On the **Connection Type** tab, select the **Browser SSO Profiles** checkbox. Click **Next** until you reach the **General Info** tab.

4. On the **General Info** tab, in the **Partner's Entity ID** field, enter a dummy entity ID. In the **Connection Name** field, enter a name, and then click **Next**.

5. On the **Browser SSO** tab, click **Configure Browser SSO**.

6. On the **SAML Profiles** tab, select the **IdP-Initiated SSO** checkbox only. Click **Next** until you reach the **Assertion Creation** tab.

7. On the **Assertion Creation** tab, click **Configure Assertion Creation**. Click **Next** until you reach the **Authentication Source Mapping** tab.

8. On the **Authentication Source Mapping** tab, click **Map New Authentication Policy**.

9. On the **Authentication Policy Contract** tab, in the **Authentication Policy Contract** list, select your policy contract. Click **Next** until you reach the **Attribute Contract Fulfillment** tab.

10. On the **Attribute Contract Fulfillment** tab, in the **Source** list for the `SAML_SUBJECT` entry, select **Authentication Policy Contract**. From the **Value** list, select **subject**.

11. Click **Next** and **Done** until you reach the **Protocol Settings** tab. Click **Configure Protocol Settings**.

12. On the **Assertion Consumer Service URL** tab, enter a number in the **Index** field. From the **Binding** list, select **POST**. In the **Endpoint URL** field, enter a dummy URL, then click **Add**.

13. Click **Next** and **Done** until you reach the **Credentials** tab. Click **Configure Credentials**.

14. On the **Digital Signature Settings** tab, from the **Signing Certificate** list, select a signing certificate.

15. Click **Next** and **Done** until you reach the **Activation & Summary** tab. Click **Save**.

16. In the **SP Connections** window, click **Save**.

## Creating an authentication selector

### Steps

1. Go to **Authentication > Policies > Selectors** and click **Create New Instance**.

2. On the **Type** tab, in the **Type** list, select **Connection Set Authentication Selector**. Complete the remaining required fields, and then click **Next**.

3. On the **Authentication Selector** tab, click **Add a New Row to 'Connections'**. From the **Connection** list, select your SP connection. Click **Update** and then **Next**.

4. On the **Summary** tab, click **Done**. In the **Manage Authentication Selector Instances** window, click **Save**.

## Creating an authentication policy

### Steps

1. Go to **Authentication > Policies > Policies** and click **Add Policy**.

2. In the **Name** field, enter a name for the policy.

3. In the **Policy** list, from the list, select **Selectors**.

4. In the **ID** column, select the selector from step 7.

5. Beneath the **No** list, click **Continue**.

6. In the **Yes** list, select the HTML adapter from step 2.

7. Beneath the **Fail** list, click **Done**.

8. From the **Success** list, select the PingID Adapter from step 4.

9. Beneath your PingID Adapter instance, click **Options**.

10. In the **Incoming User ID** window, from the **Source** list, select the HTML adapter from step 2. From the **Attribute** list, select **username**.

11. Beneath the **Fail** list, click **Done**.

12. From the **Success** list, select the policy contract from step 5.

    ![A screen capture of the Policy section with a completed configuration as described in the preceding steps.](_images/etw1603144361293.png)

13. Click **Contract Mapping**.

14. On the **Contract Fulfillment** tab, from the **Source** list, select your HTML adapter. From the **Value** list, select **username**.

15. Click **Next** until you reach the **Summary** tab, and then click **Done**.

16. Click **Done** and then in the **Authentication Policies** window, click **Save**.

## Testing your connection

### Steps

1. In PingFederate, go to **Applications > Integration > SP Connections**, and click your SP connection.

2. On the **Activation & Summary** tab, verify that the green toggle switch is selected. Click the **SSO Application Endpoint** link.

3. Sign on as a user with the credentials created in step 1c.

   #### Result:

   When a user signs on for the first time, they are prompted to install PingID and register their device. If the user is registered, they are prompted to authenticate using PingID.