Qodex.ai

Configure an MFA-Only Flow Using a Login Hint Token

Number of APIs: 17

This activity shows you how to create an MFA only authentication flow using a login_hint_token to identify and authenticate the end-user without needing to encode the entire authentication request in a signed JWT.

The following operations are supported by the PingOne APIs:

  • Create an application
  • Create a sign-on policy
  • Create an SMS sign-on policy action
  • Create a user
  • Create a device authentication policy
  • Initiate an authorize request using a login_hint_token
  • Use the OTP check API to complete the MFA action

Prerequisites

Get an access token from the worker application that you created in Getting Started with the PingOne APIs. To get a token from a different worker application in an alternate sandbox environment, run the token request endpoint using the client ID and client secret of your chosen worker app to authenticate the request. For more information, see GET a Worker Application Access Token.

Workflow order of operations

To complete an MFA only authentication flow, the following tasks must be completed successfully:

  1. Make a POST request to /environments/{{envID}}/applications to add a new application to the specified environment.

  2. Make a GET request to /environments/{{envID}}/applications/{{appID}}/secret to return the new application's secret attribute, which is needed for the token request.

  3. Make a GET request to /environments/{{envID}}/resources to return a list of all resource entities associated with the specified environment.

  4. Make a GET request to /environments/{{envID}}/resources/{{resourceID}}/scopes to list all scopes associated with a specified resource.

  5. Make a POST request to /environments/{{envID}}/applications/{{appID}}/grants to create a new resource access grant for the application.

  6. Make a POST request to /environments/{{envID}}/signOnPolicies to create a new sign-on policy.

  7. Make a POST request to /environments/{{envID}}/signOnPolicies/{{signOnPolicyID}}/actions to define the SMS MFA action associated with this sign-on policy.

  8. Make a POST request to /environments/{{envID}}/applications/{{appID}}/signOnPolicyAssignments to associate the sign-on policy with the application.

  9. Make a POST request to /environments/{{envID}}/populations to create a new population resource.

  10. Make a POST request to /environments/{{envID}}/users to create a user who will be assigned to the new population resource.

  11. Make a POST request to /environments/{{envID}}/users/{{userID}}/password to set the new user's password.

  12. Make a POST request to /environments/{{envID}}/users/{{userID}}/mfaEnabled to enable MFA actions for this user.

  13. Make a POST request to /environments/{{envID}}/deviceAuthenticationPolicies to create the device authentication policy.

  14. Make a POST request to /environments/{{envID}}/users/{{userID}}/devices to associate an SMS MFA device with this user.

  15. Make a POST request to /{{envID}}/as/authorize to obtain an authorization grant. This request starts the authorization flow.

  16. To complete the SMS MFA action, make a POST request to GET /{{envID}}/flows/{{flowID}} and provide the one-time passcode.

  17. Make a GET request to /{{envID}}/as/resume?flowId={{flowID}} to call the resume endpoint and return the auth code.

  1. Step 6: Create a sign-on policy POST {{apiPath}}/environments/{{envID}}/signOnPolicies

  2. Step 8: Assign the sign-on policy to the web application POST {{apiPath}}/environments/{{envID}}/applications/{{webApp4MfaId}}/signOnPolicyAssignments

  3. Step 4: Get all OIDC Scopes GET {{apiPath}}/environments/{{envID}}/resources/{{openidResourceID}}/scopes

  4. Step 9: Create a population for MFA users POST {{apiPath}}/environments/{{envID}}/populations

  5. Step 1: Create a web application POST {{apiPath}}/environments/{{envID}}/applications

  6. Step 2: Get the application secret GET {{apiPath}}/environments/{{envID}}/applications/{{webApp4MfaId}}/secret

  7. Step 3: Get all resources GET {{apiPath}}/environments/{{envID}}/resources

  8. Step 7: Create an SMS MFA sign-on policy action POST {{apiPath}}/environments/{{envID}}/signOnPolicies/{{mfaSignonPolicyID}}/actions

  9. Step 10: Create user POST {{apiPath}}/environments/{{envID}}/users

  10. Step 11: Set user password PUT {{apiPath}}/environments/{{envID}}/users/{{MFAUserID}}/password