This activity shows you how to create an MFA only authentication flow using a login_hint_token to identify and authenticate the end-user without needing to encode the entire authentication request in a signed JWT.

The following operations are supported by the PingOne APIs:

• Create an application
• Create a sign-on policy
• Create an SMS sign-on policy action
• Create a user
• Initiate an authorize request using a login_hint_token
• Use the OTP check API to complete the MFA action

Workflow order of operations

To complete an MFA only authentication flow, the following tasks must be completed successfully:

1. Make a POST request to /environments/{{envID}}/applications to add a new application to the specified environment.

2. Make a GET request to /environments/{{envID}}/applications/{{appID}}/secret to return the new application’s secret attribute, which is needed for the token request.

3. Make a GET request to /environments/{{envID}}/resources to return a list of all resource entities associated with the specified environment.

4. Make a GET request to /environments/{{envID}}/resources/{{resourceID}}/scopes to list all scopes associated with a specified resource.

5. Make a POST request to /environments/{{envID}}/applications/{{appID}}/grants to create a new resource access grant for the application.

6. Make a POST request to /environments/{{envID}}/signOnPolicies to create a new sign-on policy.

7. Make a POST request to /environments/{{envID}}/signOnPolicies/{{signOnPolicyID}}/actions to define the SMS MFA action associated with this sign-on policy.

8. Make a POST request to /environments/{{envID}}/applications/{{appID}}/signOnPolicyAssignments to associate the sign-on policy with the application.

9. Make a POST request to /environments/{{envID}}/populations to create a new population resource.

10. Make a POST request to /environments/{{envID}}/users to create a user who will be assigned to the new population resource.

11. Make a POST request to /environments/{{envID}}/users/{{userID}}/password to set the new user’s password.

12. Make a POST request to /environments/{{envID}}/users/{{userID}}/mfaEnabled to enable MFA actions for this user.

13. Make a POST request to /environments/{{envID}}/users/{{userID}}/devices to associate an SMS MFA device with this user.

14. Make a POST request to /{{envID}}/as/authorize to obtain an authorization grant. This request starts the authorization flow.

15. To complete the SMS MFA action, make a POST request to GET /{{envID}}/flows/{{flowID}} and provide the one-time passcode.

16. Make a GET request to /{{envID}}/as/resume?flowId={{flowID}} to call the resume endpoint and return the auth code.

Click the Run in Postman button below to download the Postman collection for this use case.