This activity shows you how to create a sign-on policy with and SMS and Email MFA actions, initiate an authorization request, and use the flow APIs to complete the authorization.

The following operations are supported by the PingOne APIs:

Workflow order of operations

To complete a MFA sign on, the following tasks must be completed successfully:

  1. Make a POST request to /environments/{environmentId}/applications to add a new application to the specified environment.

  2. Make a GET request to /environments/{environmentId}/resources to return a list of all resource entities associated with the specified environment.

  3. Make a GET request to /environments/{environmentId}/resources/{resourceId}/scopes to list all scopes associated with a specified resource.

  4. Make a POST request to /environments/{environmentId}/applications/{applicationId}/grants to create a new resource access grant for the application.

  5. Make a POST request to /environments/{environmentId}/signOnPolicies to create a new sign-on policy.

  6. Make a POST request to /environments/{environmentId}/signOnPolicies/{signOnPolicyId}/actions to define the SMS MFA action associated with this sign-on policy.

  7. Make a POST request to /environments/{environmentId}/signOnPolicies/{signOnPolicyId}/actions to define the Email MFA action associated with this sign-on policy.

  8. Make a POST request to /environments/{environmentId}/applications/{applicationId}/signOnPolicyAssignments to associate the sign-on policy with the application.

  9. Make a POST request to /environments/{id}/populations to create a new population resource.

  10. Make a POST request to /environments/{id}/users to create a user who will be assigned to the new population resource.

  11. Make a POST request to /environments/{id}/users/{userId}/password to set the new user’s password.

  12. Make a POST request to /environments/{id}/users/{userId}/mfaEnabled to enable MFA actions for this user.

  13. Make a POST request to /environments/{id}/users/{userId}/devices to associate an SMS MFA device with this user.

  14. Make a POST request to /environments/{id}/users/{userId}/devices to associate an Email MFA device with this user.

  1. Make a POST request to /{environmentId}/as/authorize to obtain an authorization grant. This request starts the authorization flow.

  2. Make a GET request to /{environmentId}/flows/{flowID} to initiate the sign-on flow.

  3. To complete the sign-on action, make a POST request to GET /{environmentId}/flows/{flowID} and provide the user’s username for a user lookup action.

  4. To complete the SMS MFA action, make a POST request to GET /{environmentId}/flows/{flowID} and provide the one-time passcode.

  5. To complete the Eamil MFA action, make a POST request to GET /{environmentId}/flows/{flowID} and provide the one-time passcode.

  1. Make a GET request to /{environmentId}/as/resume?flowId={flowID} to call the resume endpoint and return the auth code.

  2. Make a GET request to /environments/{environmentId}/applications/{applicationId}/secret to return the new application’s secret attribute, which is needed for the token request.

  3. Make a POST request to /{environmentId}/as/token to exchange the auth code for an access token.

Click the Run in Postman button below to download the Postman collection for this use case.

Run in Postman