This activity shows you how to create a sign-on policy with login and mfa actions, initiate an authorization request, and use the flow APIs to complete the authorization.

The following operations are supported by the PingOne APIs:

• Create an application
• Create a sign-on policy
• Create login and MFA sign-on policy actions
• Create a user
• Initiate an authorize request
• Use flow APIs to complete the login and MFA actions

Prerequisites

Get an access token from the worker application that you created in Getting Started with the PingOne APIs. To get a token from a different worker application in an alternate sandbox environment, run the token request endpoint using the client ID and client secret of your chosen worker app to authenticate the request. For more information, see GET a Worker Application Access Token.

Workflow order of operations

To complete a login and MFA sign on, the following tasks must be completed successfully:

1. Make a POST request to /environments/{{envID}}/applications to add a new application to the specified environment.

2. Make a GET request to /environments/{{envID}}/resources to return a list of all resource entities associated with the specified environment.

3. Make a GET request to /environments/{{envID}}/resources/{{resourceID}}/scopes to list all scopes associated with a specified resource.

4. Make a POST request to /environments/{{envID}}/applications/{{appID}}/grants to create a new resource access grant for the application.

5. Make a POST request to /environments/{{envID}}/signOnPolicies to create a new sign-on policy.

6. Make a POST request to /environments/{{envID}}/signOnPolicies/{{signOnPolicyID}}/actions to define the login action associated with this sign-on policy.

7. Make a POST request to /environments/{{envID}}/signOnPolicies/{{signOnPolicyID}}/actions to define the MFA action associated with this sign-on policy.

8. Make a POST request to /environments/{{envID}}/applications/{{appID}}/signOnPolicyAssignments to associate the sign-on policy with the application.

9. Make a POST request to /environments/{{envID}}/populations to create a new population resource.

10. Make a POST request to /environments/{{envID}}/users to create a user who will be assigned to the new population resource.

11. Make a POST request to /environments/{{envID}}/users/{{userID}}/password to set the new user’s password.

12. Make a POST request to /environments/{{envID}}/users/{{userID}}/mfaEnabled to enable MFA actions for this user.

13. Make a POST request to /environments/{{envID}}/users/{{userID}}/devices to associate an MFA device with this user.

14. Make a POST request to /{{envID}}/as/authorize to obtain an authorization grant. This request starts the authorization flow.

15. Make a GET request to /{{envID}}/flows/{{flowID}} to initiate the sign-on flow.

16. To complete the login action, make a POST request to GET /{{envID}}/flows/{{flowID}} and provide the user’s login credentials.

17. To complete the MFA action, make a POST request to GET /{{envID}}/flows/{{flowID}} and provide the one-time passcode.

18. Make a GET request to /{{envID}}/as/resume?flowId={{flowID}} to call the resume endpoint and return the auth code.

19. Make a GET request to /environments/{{envID}}/applications/{{appID}}/secret to return the new application’s secret attribute, which is needed for the token request.

20. Make a POST request to /{{envID}}/as/token to exchange the auth code for an access token.

Click the Run in Postman button below to download the Postman collection for this use case.