PingOne

Enabling user and authentication method provisioning

The PingOne MFA IdP Adapter supports automatic provisioning for users and for some user authentication methods.

About this task

When a user signs on, the adapter gets their username and contact information from attributes in the PingFederate authentication policy. The adapter can use this information to create a user (if necessary) and configure authentication methods for the user in PingOne. This process, called just-in-time provisioning (JIT), happens automatically.

You can only use this technique to provision the following authentication methods:

  • SMS

  • voice

  • email

To enable JIT provisioning, follow this guide while you complete the steps in MFA setup.

Steps

  1. Complete the following steps in your adapter configuration:

    1. Select the Provision Users checkbox.

    2. Optional: To add authentication methods for the new user based on the user’s SMS Attribute, Voice Attribute, and Email Attribute values, select the Provision Authentication Methods checkbox.

      To automatically add new authentication methods for existing users, make sure that the Update Authentication Methods checkbox is selected.

      If Update Authentication Methods is selected, you can select an Overwrite Authentication Methods Configurations setting to determine whether the adapter replaces existing SMS, voice, or email authentication methods or just adds the new methods when the adapter identifies that there are new authentication method values.

    3. To use a different identifier than a username, enter the name of the attributes that will contain the identifier in the Username Attribute field.

      • If you identify users based on their PingOne username, leave this field blank. New users are named based on the "incoming user ID" set for the adapter in your PingFederate authentication policy.

      • If you identify users based on their PingOne user ID, enter the name of an authentication policy attribute. New users are named based on the attribute instead of the "incoming user ID."

    4. If you selected Provision Authentication Methods or Update Authentication Methods, enter the name of the attributes that will contain the user’s contact information in the SMS Attribute, Voice Attribute, and Email Attribute fields if the attributes differ from the default values.

      The default values are SMS for SMS Attribute, voice for Voice Attribute, and email for Email Attribute.

    5. If you selected Provision Authentication Methods, select a Default Authentication Method for Provisioned Users.

      The default selection is SMS.

    Learn more about any of the above fields in the PingOne MFA IdP Adapter settings reference. For help configuring an adapter instance, see Configuring an adapter instance.

  2. When Adding PingOne MFA to your authentication policy, configure the policy path so that the attributes you named are populated before the PingOne MFA IdP Adapter is triggered.

    For example, you could use the HTML Form Adapter to provide a sign-on form and get the user’s phone number from your datastore.