Skip to main content

PingFederate IdP factor MFA integration

Acceptto integrates with PingFederate to enable increased security with Acceptto's intelligent Multi-factor Authentication. This integration uses PingFederate's IdP Adapter Plugin feature to enable Acceptto intelligent MFA.

This allows administrators to configure their PingFederate SSO applications to require Acceptto's Smart MFA before authenticating users.

Acceptto's intelligent MFA uses many different signals to provide a low-friction increase in security.

Prerequisites

  • An Acceptto account with a configured Identity Provider.

  • A user with administrative privileges for the PingFederate admin panel.

  • A user with administrative privileges for the Acceptto services.

  • The Acceptto SAML Metadata XML file for your account.

  • The Acceptto PingFederate Idp Adapter

Install the Acceptto PingFederate Idp Adapter plugin

  1. Download the Acceptto PingFederate Idp Adapter plugin JAR file.

  2. Install the JAR file in the deploy directory for your PingFederate instance.

  3. Restart the PingFederate server.

Add a new IdP Adapter instance

The Acceptto SAML Metadata XML File is the SAML metadata for your account, it can be found at https://sso.acceptto.com/my-organization/saml/metadata.xml (where my-organization is the short name assigned by Acceptto to identify your organization).

In the PingFederate admin panel, add a new Idp Adapter instance.

  1. Select Authentication > IdP Adapters > Create New Instance

  2. Fill in the Type form with the following:

    • Instance Name: Acceptto (or your preferred name)

    • Instance Id: acceptto (or your preferred id)

    • Type: Acceptto IdP Adapter

    • Parent Instance: None

    ping_create_adapter_instance.png
  3. Click Next

  4. Fill in the IdP Adapter form with the following:

    • Application Issuer ID: PingFederate Acceptto Plugin (or your preferred name).

    • Application Metadata File: Upload the Metadata XML file.

    • SP Certificate: Use an existing certificate, or use the "Manage Signing Certificates" button to create a new one.

    ping_idp_adapter_settings.png
  5. Click Next

  6. Click Next on the Extended Contract form

  7. Fill in the Adapter Attributes form with the following:

    • Unique User Key Attribute: email

    • Check the Pseudonym checkbox for email

    ping_adapter_attributes.png
  8. Click Next

  9. Click Configure Adapter Contract

    1. Click Next on Attribute sources & User Lookup

    2. Fill in the Adapter Contract Fulfillment form with the following sources:

      • acceptto_result: Adapter

      • email: Adapter

      • username: Adapter

      ping_adapter_contract_fulfillment.png
    3. Click Next

    4. Click Next on Issuance Criteria

    5. Click Done

  10. Click Next

  11. Click Save

Add Chained Adapter

In order to enable Acceptto's MFA after initial authentication, we use a chained adapter.

  1. Select Authentication > IdP Adapters > Create New Instance

  2. Fill in the Type form with the following:

    • Instance Name: Chained Acceptto (or your preferred name)

    • Instance Id: chained (or your preferred name)

    • Type: Composite Adapter

    • Parent Instance: None

    ping_create_chained_adapter.png
  3. Click Next

  4. Fill in the sections on the IdP Adapter form as follows:

    • Adapters

      1. Click "Add a new row to 'Adapters'"

      2. Set the Adapter Instance to HTMLFormPD (or your primary authentication adapter)

      3. Click Update

      4. Click "Add a new row to 'Adapters'"

      5. Set the Adapter Instance to Acceptto (or the name you chose for the adapter instance)

      6. Click Update

    • Input User ID Mapping

      1. Click "Add a new row to 'Input User ID Mapping'"

      2. Select HTMLFormPD (or your primary authentication adapter)

      3. Select username

      4. Click Update

      5. Click "Add a new row to 'Input User ID Mapping'"

      6. Select Acceptto (or the name you chose for the adapter instance)

      7. Select email

      8. Click Update

    ping_chained_adapter_settings.png
  5. Click Next

  6. Fill in the Extended Contract form as follows:

    1. Under Extend the Contract enter username

    2. Click Add

    3. Under Extend the Contract enter email

    4. Click Add

    ping_chained_extended_contract.png
  7. Click Next

  8. Fill in the Adapter Attributes form as follows:

    • Unique User Key Attribute: email

    • Check the Pseudonym checkbox for email

    ping_adapter_attributes.png
  9. Click Next

  10. Click Configure Adapter Contract

    1. Click Next on Attribute sources & User Lookup

    2. Fill in the Adapter Contract Fulfillment form with the following sources:

      1. acceptto_result: Adapter

      2. email: Adapter

      3. username: Adapter

      ping_adapter_contract_fulfillment.png
    3. Click Next

    4. Click Next on Issuance Criteria

    5. Click Done

  11. Click Next

  12. Click Save

Add Application to Acceptto

Add PingFederate IdP Factor as a service provider in the Acceptto admin panel. Some required information can be found in PingFederate.

  1. In the eGuardian user dashboard, select Applications > Create New Application

  2. In the New Application form, enter the following values under the General tab

    • Name - Ping Federate (or your preferred name)

    • Type - Select "SAML Service Provider" from the options

    • Out of Band Methods - Select the allowed methods for approving MFA requests

    • Message for MFA Requests - Enter the user-facing message for Push, SMS, and e-mail MFA requests (optional)

    ping_add_app.png
  3. Under the SAML Service Provider Configuration tab, enter the following values

    • Select the checkbox for Upstream IdP

    • Issuer or Entity ID – The Application Issuer ID from PingFederate

    • Sign in URL - From PingFederate

    • Metadata URL - Leave blank

    • Username Field for Upstream IdP - mail

    • Assertion Consumer Service (ACS) URL - Leave blank

    • Certificate - the X.509 public certificate from PingFederate

  4. Configure additional settings as desired, then click Save

    ping_sp_settings.png

User Experience

  1. After the admin has enabled IdP factor MFA, the user will be prompted to add this custom factor on their next login via PingFederate.

  2. The user then selects the IdP Factor option and is taken to a QR pairing screen.

  3. They can then download the Acceptto It'sMe mobile application from Google Play Store or Apple App Store.

  4. The user opens the mobile application and is prompted to scan the displayed QR code.

  5. After scanning the QR the user's device is paired.

  6. On subsequent authentication attempts, the user will be asked to confirm the Idp factor MFA and be taken to the select MFA option by PingFederate.

  7. Upon approval of MFA, the user will be authenticated to their application.