The PingID SDK adapter for PingFederate permits the option to replace the customer server with PingFederate in several use cases, for the purpose of pairing and authenticating a user. Admins and developers should consider the supported flows, when implementing the PingID SDK adapter for PingFederate.
Supported use cases and flows
The PingID SDK adapter for PingFederate supports the following use cases:
Automatic device registration (web view)
Automatic mobile device registration when a user initiates a pairing process for a mobile device.
- This flow only supports the mobile web view. The user is authenticated as part of PingFederate authentication flow, and once the user is successfully authenticated, control is returned to the mobile app and trust with PingID SDK server is initiated. The adapter returns control to the mobile app.
- The flow supports registration of mobile devices.
Device authorization (web view)
A seamless user login to an already trusted mobile application which includes PingID mobile SDK.
- This flow only supports login to the mobile app via mobile web view, and then returns control to the mobile app.
- This flow takes the user through the PingID SDK adapter authentication. On successful seamless device authentication, the user is logged in to the app.
QR code authentication
A user scanning a QR code with a trusted mobile device. The major objective of this approach is to permit secure passwordless authentication. The customer server does not need advance knowledge of who the user is (for example, first factor authentication is not required).
- The PingFederate PingID SDK adapter displays a QR code image in the web browser.
- The user scans the QR code with their trusted mobile device, and the mobile application passes it back to the PingID SDK server. QR code based authentication also supports authentication of multiple users who use the same device.
- The PingID SDK server validates the QR code.
- If the QR code is valid, and multiple users use the mobile accessing device a list of active users of the device is presented.
- Once the user is selected from the user list, the user is approved and authentication is completed.
- If extra verification is required, a silent push is sent to verify the device. In addition, a user approval message can also be sent to the user for additional user confirmation.
Out of band / step up authentication from web
Multifactor authentication during user login to a web application.
- Signing in on a web browser initiates PingFederate first factor authentication. Since it is web based, no payload is sent to PingID SDK server.
- All of the PingID SDK authentication methods are supported: Mobile SDK, SMS, voice and email.
- After successful first factor authentication, the adapter directs the PingID SDK Server to send a push notification, SMS, voice message or email to the authenticating device.
- An application development design consideration would be to permit SMS, voice and email device registration, although not via PingFederate.
Out of band / step up authentication from mobile
Multifactor authentication during user login to a non trusted mobile device, using the user’s primary device for the approval process.
- This flow supports pairing of new mobile devices only. Mobile, SMS, voice and email devices may be used for approving the new device pairing.
- The PingID SDK server sends a push notification (if it is a mobile device, or an OTP if it is an SMS, voice or email) to the primary device for authentication. The PingID SDK adapter returns a success or failure status.
- This flow is relevant only when ADDITIONAL TRUSTED DEVICES is configured to Verify New Devices with Primary Device. In cases where ADDITIONAL TRUSTED DEVICES is configured to Pair Each Device Individually, the Automatic device registration flow is performed every time a user tries to pair an additional device.
- The PingID SDK server sends a push notification (if it is a mobile device, or an OTP if it is an SMS, voice or email) to the primary device for authentication. The PingID SDK adapter returns a success or failure status.
Transaction approval
Transaction approval (also known as step up authentication) is elevated security for a high value or high risk resource or service, within the particular context of an application, which requires authentication using a higher assurance credential than previously required for general access of the application.
- In some applications, it makes sense not to use the second factor authentication capabilities during the login process, but rather activate it during certain user actions, such as a payments or bank transfers. These actions are referred to as transaction approvals, as they elevate the user’s security context only when required by the business logic.
- PingID SDK enables the developer to incorporate transaction approval flows and authentications into native applications quickly and easily. Transaction approvals rely on context-related information as part of the authentication. The context-related information is implemented via the dynamic parameters feature of the PingID SDK adapter for PingFederate. The native app can use it to show the transaction information, or to display different behavior during the authentication.
CIBA authenticator
Out-of-band multifactor authentication using a trusted mobile device as a Client Initiated Backchannel Authentication (CIBA) authenticator.
The accessing device initiates the authentication request.
The authentication request is sent to a trusted mobile device for authentication, without the need for an additional redirect to PingFederate.
The request is received by PingID SDK on the mobile device, and PingID SDK returns a success or failure status.
Note that the PingID SDK CIBA Authenticator supports mobile devices only.
PingFederate Authentication API
Enables integration with the PingFederate Authentication API for end-user interactions, for step-up authentication and transaction approval. Additionally, it supports mobile device initiated flows such as mobile device registration and seamless device authorization. The PingFederate Authentication API provides access to the current state of the flow as an end user steps through a PingFederate authentication policy. See PingID SDK adapter for PingFederate Authentication API.