This activity shows you how to create a sign-on policy with login and mfa actions, initiate an authorization request, and use the flow APIs to complete the authorization.
The following operations are supported by the PingOne APIs:
Get an access token from the worker application that you created in Getting Started with the PingOne APIs. To get a token from a different worker application in an alternate sandbox environment, run the token request endpoint using the client ID and client secret of your chosen worker app to authenticate the request. For more information, see GET a Worker Application Access Token.
Workflow order of operations
To complete a login and MFA sign on, the following tasks must be completed successfully:
Make a POST
request to /environments/{{envID}}/applications
to add a new application to the specified environment.
Make a GET
request to /environments/{{envID}}/resources
to return a list of all resource entities associated with the specified environment.
Make a GET
request to /environments/{{envID}}/resources/{{resourceID}}/scopes
to list all scopes associated with a specified resource.
Make a POST
request to /environments/{{envID}}/applications/{{appID}}/grants
to create a new resource access grant for the application.
Make a POST
request to /environments/{{envID}}/signOnPolicies
to create a new sign-on policy.
Make a POST
request to /environments/{{envID}}/signOnPolicies/{{signOnPolicyID}}/actions
to define the login action associated with this sign-on policy.
Make a POST
request to /environments/{{envID}}/signOnPolicies/{{signOnPolicyID}}/actions
to define the MFA action associated with this sign-on policy.
Make a POST
request to /environments/{{envID}}/applications/{{appID}}/signOnPolicyAssignments
to associate the sign-on policy with the application.
Make a POST
request to /environments/{{envID}}/populations
to create a new population resource.
Make a POST
request to /environments/{{envID}}/users
to create a user who will be assigned to the new population resource.
Make a POST
request to /environments/{{envID}}/users/{{userID}}/password
to set the new user’s password.
Make a POST
request to /environments/{{envID}}/users/{{userID}}/mfaEnabled
to enable MFA actions for this user.
Make a POST
request to /environments/{{envID}}/users/{{userID}}/devices
to associate an MFA device with this user.
Make a POST
request to /{{envID}}/as/authorize
to obtain an authorization grant. This request starts the authorization flow.
Make a GET
request to /{{envID}}/flows/{{flowID}}
to initiate the sign-on flow.
To complete the login action, make a POST
request to GET /{{envID}}/flows/{{flowID}}
and provide the user’s login credentials.
To complete the MFA action, make a POST
request to GET /{{envID}}/flows/{{flowID}}
and provide the one-time passcode.
Make a GET
request to /{{envID}}/as/resume?flowId={{flowID}}
to call the resume endpoint and return the auth code.
Make a GET
request to /environments/{{envID}}/applications/{{appID}}/secret
to return the new application’s secret
attribute, which is needed for the token request.
Make a POST
request to /{{envID}}/as/token
to exchange the auth code for an access token.
Click the Run in Postman button below to download the Postman collection for this use case.