This step type performs a multi-factor authentication in PingOne. The step returns a SUCCEEDED result.

Step properties used with flow definitions

Configuration schema property Description
deviceAuthenticationPolicy.id A string that specifies the device authentication policies to use during authentication. This is a required property.
deviceSelection A string that specifies the device selection mode. Options are DEFAULT_TO_FIRST, and PROMPT_TO_SELECT. The default value is DEFAULT_TO_FIRST. This is a required property.
template.name A string that specifies the name of the notification template used for user notifications. Options are STRONG_AUTHENTICATION, and TRANSACTION. This is a required property.
template.variant A string that specifies the notification template variant.
useDefaultPolicy A boolean that, when set to true, specifies that the default device authentication policy for the environment is used during MFA evaluation.
Input property Description
user.id A string that specifies the user ID. This is a required property.
template.locale A string that specifies the notifications template locale. This is a required property.
template.variables An object that specifies the notifications template variables.
webauthn.compatibility A string that specifies the webauthn compatibility.
mobile.clientContext An object that specifies the mobile client context.
mobile.payload A string that specifies the mobile payload. The default value is ${flow.inputs.parameters.mobilePayload}.
application.id A string that specifies the application ID. The default value is ${flow.inputs.parameters.applicationId}.
session.id A string that specifies the session ID. The default value is ${flow.inputs.parameters.sessionId}.
userAgent A string that specifies the user agent of the browser that triggered the flow. The default value is ${flow.inputs.headers.user-agent}.

The following properties are returned for the SUCCEEDED result.

Output property Description
device.id A string that specifies the device ID.
device.nickname A string that specifies the device nickname.
device.type A string that specifies the device type. Options are MOBILE, EMAIL, SMS, VOICE, TOTP, PLATFORM, and SECURITY_KEY.
amr An array that specifies the authentication methods.

Step properties used with flow executions

Properties for the DEVICE_SELECTION_REQUIRED flow state

Flow state Description
DEVICE_SELECTION_REQUIRED A flow status that prompts the user to select an available device to use for authentication.
Flow state response schema property Description
deviceAuthentication An object that specifies the device authentication parameters.

Properties for the OTP_REQUIRED flow state

Flow state Description
OTP_REQUIRED A flow status that requires the user to complete a multi-factor authentication action using a one-time passcode.
Flow state response schema property Description
devices An object that specifies the user devices available that can be used to complete the multi-factor authentication action.
deviceAuthentication.authSession.type A string that specifies the type of authentication session.
deviceAuthentication.authSession.id A string that specifies the authentication session ID.
deviceAuthentication.selectedDevice.id A string that specifies the ID of the device used for authentication.
deviceAuthentication.user.id A string that specifies the user ID of the authenticating user.

Properties for the ASSERTION_REQUIRED flow state

Flow state Description
ASSERTION_REQUIRED A flow status that prompts the user to activate the WebAuthn device to finalize the authentication process.
Flow state response schema property Description
devices An object that specifies the available devices that can be used for activation.
deviceAuthentication.authSession.type A string that specifies the type of authentication session.
deviceAuthentication.authSession.id A string that specifies the authentication session ID.
deviceAuthentication.selectedDevice.id A string that specifies the ID of the device used for authentication.
deviceAuthentication.user.id A string that specifies the user ID of the authenticating user.

Properties for the PUSH_CONFIRMATION_REQUIRED flow state

Flow state Description
PUSH_CONFIRMATION_REQUIRED A flow status that results when a push was sent to a native device to confirm the authentication.
Flow state response schema property Description
devices An object that specifies the available devices that can be used for activation.
deviceAuthentication.authSession.type A string that specifies the type of authentication session.
deviceAuthentication.authSession.id A string that specifies the authentication session ID.
deviceAuthentication.selectedDevice.id A string that specifies the ID of the device used for authentication.
deviceAuthentication.user.id A string that specifies the user ID of the authenticating user.

Properties for the PUSH_CONFIRMATION_TIMED_OUT flow state

Flow state Description
PUSH_CONFIRMATION_TIMED_OUT A flow status that specifies that a push was sent to a native device, but the native device did not answer the push during the allowed timeframe.
Flow state response schema property Description
devices An object that specifies the available devices that can be used for activation.
deviceAuthentication.authSession.type A string that specifies the type of authentication session.
deviceAuthentication.authSession.id A string that specifies the authentication session ID.
deviceAuthentication.selectedDevice.id A string that specifies the ID of the device used for authentication.
deviceAuthentication.user.id A string that specifies the user ID of the authenticating user.

Flow execution actions

Device device.select action

Links Description
device.select The link to initiate an action to specify an MFA device to associate with the user. The action must provide a value for the type property and specify application/vnd.pingidentity.device.select+json as the custom content type in the request.
Parameters Description
device.id A string that specifies the ID of the selected device. This is a required property.
compatibility A string that specifies the browser WebAuthn compatibility. Options are FULL, SECURITY_KEY_ONLY, and NONE.

Device otp.check action

Links Description
otp.check The link to initiate an action to validate the one-time passcode received by the selected device. The action must specify application/vnd.pingidentity.otp.check+json as the custom content type in the request.
Parameters Description
otp A string that specifies the one-time passcode. This is a required property.

Device assertion.check action

Links Description
assertion.check The link to initiate an action to validate the assertion received by the selected FIDO2 device. The action must specify application/vnd.pingidentity.assertion.check+json as the custom content type in the request.
Parameters Description
assertion A string that specifies the WebAuthn Assertion response. This is a required property.
compatibility A string that specifies the browser WebAuthn compatibility. Options are FULL, SECURITY_KEY_ONLY, and NONE.
origin A string that specifies the full URL of the calling service. This is a required property.