The PingID SDK adapter for PingFederate contains the
pingid.sdk.status attribute in its core contract. The
pingid.sdk.status attribute is populated only if the PingID SDK adapter returns a SUCCESS status.
As an example, the admin can map the
pingid.sdk.status attribute to any access token attribute. Once the
pingid.sdk.status attribute is mapped, it is added to the access token.
pingid.sdk.status contains the following data:
The authenticating device type (SMS, voice, email, mobile etc.).
Whether the end user accessed via the web or the mobile application.
Status information which may result in reduced permission for the user.
- The user has no trusted devices. In this case, the adapter may create a registration token for the user and return a success status. The actual pairing is done afterwards within the mobile application. Since the user has not actually completed MFA yet, there may be considerations to reduce the user permissions.
- The user has a trusted device. However, in a case where this device is marked as "bypassed", MFA will be skipped and the adapter is still going to return the success status. Once again, the user has not actually passed MFA.
The status information is returned as a string in the following format:
<status> is one of the following string values:
|device_not_paired||This status may be returned in the following scenarios:
|device_authorized||This status is returned on successful authentication of a login from a trusted mobile device.|
|web_login_sms||This status is returned on successful SMS authentication from a web login.|
|web_login_voice||This status is returned on successful voice authentication from a web login.|
|web_login_email||This status is returned on successful email authentication from a web login.|
|web_login_mobile||This status is returned on successful SDK mobile app authentication from a web login.|
|mobile_login_sms||This status is returned on successful SMS authentication when the user login is from an untrusted mobile.|
|mobile_login_voice||This status is returned on successful voice authentication when the user login is from an untrusted mobile.|
|mobile_login_email||This status is returned when a user logs in to an untrusted mobile app and is authenticated using their trusted email device.|
|mobile_login_mobile||This status is returned on successful mobile authentication when the user login is from an untrusted mobile.|
|device_bypassed||A user logs in from their trusted yet bypassed mobile device.|
|device_authorized_no_response_passive_push||When the system is configured to regard no response for extra verification as success, and a user logs in but the extra verification does not arrive.|
|MFA_bypassed_during_errors||A user logs in when the system is configured to bypass authentication if there are network problems or the PingID SDK service is unreachable.|