PingOne Mobile SDK flows

Pairing - automatic enrollment

The automatic enrollment flow requires as little as one extra step from the user. The first time the user logs into an application which has an embedded PingOne for Customer Mobile SDK component, they are asked if they wish to trust that device. Once they approve, PingOne works behind the scenes, without requiring anything else from the user.

During user authentication, a mobile app communicates with the PingOne for Customer platform to generate a token. The token allows pairing the device to the user in the context of a customer application. The user is not aware of this, and is not required to type or scan anything.

  1. The user is identified on the customer mobile application, usually with a unique user identifier, for example, a username.
  2. The PingOne for Customer Mobile SDK returns a mobile payload to the customer mobile application.
  3. The customer mobile application sends an authentication request to the PingOne for Customer Platform, including the mobile payload.
  4. The customer mobile application receives an ID token.
  5. The customer mobile application passes the ID token to the PingOne for Customer Mobile SDK.
  6. The PingOne for Customer Mobile SDK returns a pairing object to the customer mobile application, to pair or ignore the device.
  7. The customer mobile application prompts the user for the approve or deny action via a dialog. Based on the user’s choice, the customer mobile application notifies PingOne for Customer Mobile SDK.
  8. The PingOne for Customer Mobile SDK completes the transaction accordingly, by communicating directly with PingOne for Customer Platform.

Implement automatic pairing of mobile app as MFA authenticator app

In order to enable automatic pairing of a mobile app as an MFA authenticator app, there are several tasks that must be coordinated between admin and developers.
In brief, you will do the following:

  • Create a native application with Authenticator configuration.
  • Configure a sign-on policy with MFA step where the native application is configured as an authenticator.
  • Assign the sign-on policy to the native app.
  • Write code in the application to support automatic app enrollment.

Follow the detailed steps below:

Supply the relevant details for the admin to do the following in the PingOne for Customer admin console:

Admin tasks

  1. Create a native app.
  2. In Edit an application, in the Authenticator tab:
    • Add the Package name (Android) and Bundle ID (iOS) of your mobile application.
    • Configure the push credentials per platform.
  3. Create a sign-on policy, and add an MFA step.
  4. In the MFA step, mark the Mobile Applications checkbox, and mark the native application created in step 1.
  5. In the native application’s Policies tab, choose the sign-on policy you created.
  6. In Edit an authentication policy, in the MFA step, under the native application name, mark the Auto Enrollment checkbox. (Note that steps 1-5 are always required for mobile authentication, for either manual or automatic pairing.)

Developer tasks

In your mobile application code (also described in the iOS and Android files, see PingOne for Customers Mobile SDK):

  1. Get the mobile payload from the P14C SDK (PingOne.generateMobilePayload())
  2. Pass the received payload of the OIDC request to the P14C authorization service, as the mobilePayload query parameter.
  3. Call processIdToken() with the token you received from P14C platform.
  4. If automatic pairing is triggered (i.e. the user was not already paired with the device), processIdToken() will return a pairing object with approve() and deny() functions. Calling approve() will pair the user with the device.