PingFederate access token - pingid.sdk.status attribute


The PingID SDK adapter for PingFederate contains the pingid.sdk.status attribute in its core contract. The pingid.sdk.status attribute is populated only if the PingID SDK adapter returns a SUCCESS status.

As an example, the admin can map the pingid.sdk.status attribute to any access token attribute. Once the pingid.sdk.status attribute is mapped, it is added to the access token.

pingid.sdk.status contains the following data:

  • The authenticating device type (SMS, email, mobile etc.).

  • Whether the end user accessed via the web or the mobile application.

  • Status information which may result in reduced permission for the user.

    Examples:

    • The user has no trusted devices. In this case, the adapter may create a registration token for the user and return a success status. The actual pairing is done afterwards within the mobile application. Since the user has not actually completed MFA yet, there may be considerations to reduce the user permissions.
    • The user has a trusted device. However, in a case where this device is marked as "bypassed", MFA will be skipped and the adapter is still going to return the success status. Once again, the user has not actually passed MFA.

pingid.sdk.status values

The status information is returned as a string in the following format:

com.pingidentity.pingidsdk.<status>

Where <status> is one of the following string values:

Pairing statuses:

<status> Description
device_not_paired This status may be returned in the following scenarios:
  • On a user’s first login, and before pairing is completed.
  • When the system is configured to pair each device individually and a user logs in from a new unpaired device.
  • When the system is configured to pair each device individually, and a user attempts to authenticate using a new device after already having reached the maximum allowed paired devices, the user will be able to login without the option to pair afterwards.
  • A user logs in, and the system is configured for manual pairing, and also to bypass untrusted users for manual pairing.
device_ignored
  • A user logs in from an ignored device.
web_login_no_devices
  • A user without any trusted devices logs in from the web and the system is configured to bypass authentication for users without a trusted device.
pairing_error
  • A user who is not active (does not have any trusted devices) attempts to log in, and registration token creation fails. Regardless of the reason for the registration token creation failure, the user is authenticated successfully but cannot complete the pairing process.
  • When the system is configured to pair each device individually, and an active user (who has at least one trusted device) tries to pair another device, but the registration token process fails. Regardless of the reason for the registration token process failure, the user logs in but cannot complete the pairing process.

Authentication statuses:

<status> Description
device_authorized This status is returned on successful authentication of a login from a trusted mobile device.
web_login_sms This status is returned on successful SMS authentication from a web login.
web_login_email This status is returned on successful email authentication from a web login.
web_login_mobile This status is returned on successful SDK mobile app authentication from a web login.
mobile_login_sms This status is returned on successful SMS authentication when the user login is from an untrusted mobile.
mobile_login_email This status is returned when a user logs in to an untrusted mobile app and is authenticated using their trusted email device.
mobile_login_mobile This status is returned on successful mobile authentication when the user login is from an untrusted mobile.
device_bypassed A user logs in from their trusted yet bypassed mobile device.
device_authorized_no_response_passive_push When the system is configured to regard no response for extra verification as success, and a user logs in but the extra verification does not arrive.
MFA_bypassed_during_errors A user logs in when the system is configured to bypass authentication if there are network problems or the PingID SDK service is unreachable.