This activity shows you how to create a sign-on policy with and SMS and Email MFA actions, initiate an authorization request, and use the flow APIs to complete the authorization.
The following operations are supported by the PingOne APIs:
Workflow order of operations
To complete a MFA sign on, the following tasks must be completed successfully:
Make a POST
request to /environments/{{envID}}/applications
to add a new application to the specified environment.
Make a GET
request to /environments/{{envID}}/resources
to return a list of all resource entities associated with the specified environment.
Make a GET
request to /environments/{{envID}}/resources/{{resourceID}}/scopes
to list all scopes associated with a specified resource.
Make a POST
request to /environments/{{envID}}/applications/{{appID}}/grants
to create a new resource access grant for the application.
Make a POST
request to /environments/{{envID}}/signOnPolicies
to create a new sign-on policy.
Make a POST
request to /environments/{{envID}}/signOnPolicies/{{signOnPolicyID}}/actions
to define the SMS MFA action associated with this sign-on policy.
Make a POST
request to /environments/{{envID}}/signOnPolicies/{{signOnPolicyID}}/actions
to define the Email MFA action associated with this sign-on policy.
Make a POST
request to /environments/{{envID}}/applications/{{appID}}/signOnPolicyAssignments
to associate the sign-on policy with the application.
Make a POST
request to /environments/{{envID}}/populations
to create a new population resource.
Make a POST
request to /environments/{{envID}}/users
to create a user who will be assigned to the new population resource.
Make a POST
request to /environments/{{envID}}/users/{{userID}}/password
to set the new user’s password.
Make a POST
request to /environments/{{envID}}/users/{{userID}}/mfaEnabled
to enable MFA actions for this user.
Make a POST
request to /environments/{{envID}}/users/{{userID}}/devices
to associate an SMS MFA device with this user.
Make a POST
request to /environments/{{envID}}/users/{{userID}}/devices
to associate an Email MFA device with this user.
Make a POST
request to /{{envID}}/as/authorize
to obtain an authorization grant. This request starts the authorization flow.
Make a GET
request to /{{envID}}/flows/{{flowID}}
to initiate the sign-on flow.
To complete the sign-on action, make a POST
request to GET /{{envID}}/flows/{{flowID}}
and provide the user’s username for a user lookup action.
To complete the SMS MFA action, make a POST
request to GET /{{envID}}/flows/{{flowID}}
and provide the one-time passcode.
To complete the Eamil MFA action, make a POST
request to GET /{{envID}}/flows/{{flowID}}
and provide the one-time passcode.
Make a GET
request to /{{envID}}/as/resume?flowId={{flowID}}
to call the resume endpoint and return the auth code.
Make a GET
request to /environments/{{envID}}/applications/{{appID}}/secret
to return the new application’s secret
attribute, which is needed for the token request.
Make a POST
request to /{{envID}}/as/token
to exchange the auth code for an access token.
Click the Run in Postman button below to download the Postman collection for this use case.