PingFederate IdP factor MFA integration

Acceptto integrates with PingFederate to enable increased security with Acceptto's intelligent Multi-factor Authentication. This integration uses PingFederate's IdP Adapter Plugin feature to enable Acceptto intelligent MFA.

This allows administrators to configure their PingFederate SSO applications to require Acceptto's Smart MFA before authenticating users.

Acceptto's intelligent MFA uses many different signals to provide a low-friction increase in security.

Prerequisites

An Acceptto account with a configured Identity Provider.
A user with administrative privileges for the PingFederate admin panel.
A user with administrative privileges for the Acceptto services.
The Acceptto SAML Metadata XML file for your account.
The Acceptto PingFederate Idp Adapter

Install the Acceptto PingFederate Idp Adapter plugin

Download the Acceptto PingFederate Idp Adapter plugin JAR file.
Install the JAR file in the deploy directory for your PingFederate instance.
Restart the PingFederate server.

Add a new IdP Adapter instance

The Acceptto SAML Metadata XML File is the SAML metadata for your account, it can be found at https://sso.acceptto.com/my-organization/saml/metadata.xml (where my-organization is the short name assigned by Acceptto to identify your organization).

In the PingFederate admin panel, add a new Idp Adapter instance.

Select Authentication > IdP Adapters > Create New Instance
Fill in the Type form with the following:
- Instance Name: Acceptto (or your preferred name)
- Instance Id: acceptto (or your preferred id)
- Type: Acceptto IdP Adapter
- Parent Instance: None
Click Next
Fill in the IdP Adapter form with the following:
- Application Issuer ID: PingFederate Acceptto Plugin (or your preferred name).
- Application Metadata File: Upload the Metadata XML file.
- SP Certificate: Use an existing certificate, or use the "Manage Signing Certificates" button to create a new one.
Click Next
Click Next on the Extended Contract form
Fill in the Adapter Attributes form with the following:
- Unique User Key Attribute: email
- Check the Pseudonym checkbox for email
Click Next
Click Configure Adapter Contract
1. Click Next on Attribute sources & User Lookup
2. Fill in the Adapter Contract Fulfillment form with the following sources:
  - acceptto_result: Adapter
  - email: Adapter
  - username: Adapter
3. Click Next
4. Click Next on Issuance Criteria
5. Click Done
Click Next
Click Save

Add Chained Adapter

In order to enable Acceptto's MFA after initial authentication, we use a chained adapter.

Select Authentication > IdP Adapters > Create New Instance
Fill in the Type form with the following:
- Instance Name: Chained Acceptto (or your preferred name)
- Instance Id: chained (or your preferred name)
- Type: Composite Adapter
- Parent Instance: None
Click Next
Fill in the sections on the IdP Adapter form as follows:
- Adapters
  1. Click "Add a new row to 'Adapters'"
  2. Set the Adapter Instance to HTMLFormPD (or your primary authentication adapter)
  3. Click Update
  4. Click "Add a new row to 'Adapters'"
  5. Set the Adapter Instance to Acceptto (or the name you chose for the adapter instance)
  6. Click Update
- Input User ID Mapping
  1. Click "Add a new row to 'Input User ID Mapping'"
  2. Select HTMLFormPD (or your primary authentication adapter)
  3. Select username
  4. Click Update
  5. Click "Add a new row to 'Input User ID Mapping'"
  6. Select Acceptto (or the name you chose for the adapter instance)
  7. Select email
  8. Click Update
Click Next
Fill in the Extended Contract form as follows:
1. Under Extend the Contract enter username
2. Click Add
3. Under Extend the Contract enter email
4. Click Add
Click Next
Fill in the Adapter Attributes form as follows:
- Unique User Key Attribute: email
- Check the Pseudonym checkbox for email
Click Next
Click Configure Adapter Contract
1. Click Next on Attribute sources & User Lookup
2. Fill in the Adapter Contract Fulfillment form with the following sources:
  1. acceptto_result: Adapter
  2. email: Adapter
  3. username: Adapter
3. Click Next
4. Click Next on Issuance Criteria
5. Click Done
Click Next
Click Save

Add Application to Acceptto

Add PingFederate IdP Factor as a service provider in the Acceptto admin panel. Some required information can be found in PingFederate.

In the eGuardian user dashboard, select Applications > Create New Application
In the New Application form, enter the following values under the General tab
- Name - Ping Federate (or your preferred name)
- Type - Select "SAML Service Provider" from the options
- Out of Band Methods - Select the allowed methods for approving MFA requests
- Message for MFA Requests - Enter the user-facing message for Push, SMS, and e-mail MFA requests (optional)
Under the SAML Service Provider Configuration tab, enter the following values
- Select the checkbox for Upstream IdP
- Issuer or Entity ID – The Application Issuer ID from PingFederate
- Sign in URL - From PingFederate
- Metadata URL - Leave blank
- Username Field for Upstream IdP - mail
- Assertion Consumer Service (ACS) URL - Leave blank
- Certificate - the X.509 public certificate from PingFederate
Configure additional settings as desired, then click Save

User Experience

After the admin has enabled IdP factor MFA, the user will be prompted to add this custom factor on their next login via PingFederate.
The user then selects the IdP Factor option and is taken to a QR pairing screen.
They can then download the Acceptto It'sMe mobile application from Google Play Store or Apple App Store.
The user opens the mobile application and is prompted to scan the displayed QR code.
After scanning the QR the user's device is paired.
On subsequent authentication attempts, the user will be asked to confirm the Idp factor MFA and be taken to the select MFA option by PingFederate.
Upon approval of MFA, the user will be authenticated to their application.

In this section: