PingOne

Configuring a CIBA authenticator instance

Configure the PingOne MFA CIBA Authenticator to determine how PingFederate communicates with PingOne MFA for client-initiated backchannel authentication (CIBA) requests.

About this task

These steps are only required if you want to enable CIBA support. Learn more in CIBA request flow.

Steps

  1. In the PingFederate administrative console, create a new IdP adapter instance.

    Choose from:

    • For PingFederate 10.1 or later: go to Authentication > OAuth > CIBA Authenticators. Click Create New Instance.

    • For PingFederate 10.0 or earlier: go to Identity Provider > Adapters. Click Create New Instance.

  2. On the Type tab, set the basic adapter instance attributes.

    1. In the Instance Name field, enter a name for the authenticator instance.

    2. In the Instance ID field, enter a unique identifier for the authenticator instance.

    3. From the Type list, select PingOne MFA CIBA Authenticator. Click Next.

  3. Optional: If you want to use the advanced prompt customizations described in CIBA prompt customizations: On the Instance Configuration tab, in the PingOne Template Variables section, map dynamic values to the variables in your PingOne notification template.

    You can find more details and examples in Advanced CIBA prompt customizations.

    1. Click Add a new row to 'PingOne Template Variables'.

    2. In the PingOne Template Variable Name field, enter the name of a variable in your PingOne notification template.

    3. From the PingOne Template Variable Value field, define the value based on the examples shown in Advanced CIBA prompt customizations.

    4. In the Action column, click Update.

    5. To add more attributes, repeat steps a-d.

  4. On the Instance Configuration tab, configure the authenticator instance by referring to PingOne MFA CIBA Authenticator settings reference. Click Next.

  5. On the Actions tab, test your connection to PingOne MFA. Resolve any issues that are reported, and then click Next.

  6. On the Extended Contract tab, add any attributes that you used in the PingOne Template Variable Value fields on the Instance Configuration tab, then click Next.

    The Extended Contract tab acts as an input that defines which attributes are available to use in the PingOne Template Variable Value fields. The subject attribute is always included. Learn more in Advanced CIBA prompt customizations.

  7. On the Summary tab, check and save your configuration:

    Choose from:

    • For PingFederate 10.1 or later: click Save.

    • For PingFederate 10.0 or earlier: click Done. On the Manage IdP Adapter Instances tab, click Save.