Qodex.ai

Use an Email MFA Action to Authenticate Users

Number of APIs: 19

This activity shows you how to create a sign-on policy with an Email MFA action, initiate an authorization request, and use the flow APIs to complete the authorization.

The following operations are supported by the PingOne APIs:

  • Create an application
  • Create a sign-on policy
  • Create an Email MFA sign-on policy action
  • Create a device authentication policy
  • Create a user
  • Initiate an authorize request
  • Use flow APIs to complete the MFA action

Prerequisites

Get an access token from the worker application that you created in Getting Started with the PingOne APIs. To get a token from a different worker application in an alternate sandbox environment, run the token request endpoint using the client ID and client secret of your chosen worker app to authenticate the request. For more information, see GET a Worker Application Access Token.

Workflow order of operations

To complete a MFA sign on, the following tasks must be completed successfully:

  1. Make a POST request to /environments/{{envID}}/applications to add a new application to the specified environment.

  2. Make a GET request to /environments/{{envID}}/resources to return a list of all resource entities associated with the specified environment.

  3. Make a GET request to /environments/{{envID}}/resources/{{resourceID}}/scopes to list all scopes associated with a specified resource.

  4. Make a POST request to /environments/{{envID}}/applications/{{appID}}/grants to create a new resource access grant for the application.

  5. Make a POST request to /environments/{{envID}}/signOnPolicies to create a new sign-on policy.

  6. Make a POST request to /environments/{{envID}}/signOnPolicies/{{signOnPolicyID}}/actions to define the Email MFA action associated with this sign-on policy.

  7. Make a POST request to /environments/{{envID}}/applications/{{appID}}/signOnPolicyAssignments to associate the sign-on policy with the application.

  8. Make a POST request to /environments/{{envID}}/populations to create a new population resource.

  9. Make a POST request to /environments/{{envID}}/users to create a user who will be assigned to the new population resource.

  10. Make a POST request to /environments/{{envID}}/users/{{userID}}/password to set the new user's password.

  11. Make a POST request to /environments/{{envID}}/users/{{userID}}/mfaEnabled to enable MFA actions for this user.

  12. Make a POST request to /environments/{{envID}}/deviceAuthenticationPolicies to create the device authentication policy.

  13. Make a POST request to /environments/{{envID}}/users/{{userID}}/devices to associate an Email MFA device with this user.

  14. Make a POST request to /{{envID}}/as/authorize to obtain an authorization grant. This request starts the authorization flow.

  15. Make a GET request to /{{envID}}/flows/{{flowID}} to initiate the sign-on flow.

  16. To complete the sign-on action, make a POST request to GET /{{envID}}/flows/{{flowID}} and provide the user's username for a user lookup action.

  17. To complete the Eamil MFA action, make a POST request to GET /{{envID}}/flows/{{flowID}} and provide the one-time passcode.

  18. Make a GET request to /{{envID}}/as/resume?flowId={{flowID}} to call the resume endpoint and return the auth code.

  19. Make a GET request to /environments/{{envID}}/applications/{{appID}}/secret to return the new application's secret attribute, which is needed for the token request.

  20. Make a POST request to /{{envID}}/as/token to exchange the auth code for an access token.

  1. Step 5: Create a sign-on policy POST {{apiPath}}/environments/{{envID}}/signOnPolicies

  2. Step 3: Get all OIDC Scopes GET {{apiPath}}/environments/{{envID}}/resources/{{openidResourceID}}/scopes

  3. Step 4: Assign a resource grant to the web application POST {{apiPath}}/environments/{{envID}}/applications/{{webApp4MfaId}}/grants

  4. Step 6: Create an Email MFA sign-on policy action POST {{apiPath}}/environments/{{envID}}/signOnPolicies/{{mfaSignonPolicyID}}/actions

  5. Step 7: Assign the sign-on policy to the web application POST {{apiPath}}/environments/{{envID}}/applications/{{webApp4MfaId}}/signOnPolicyAssignments

  6. Step 8: Create a population for MFA users POST {{apiPath}}/environments/{{envID}}/populations

  7. Step 9: Create a user POST {{apiPath}}/environments/{{envID}}/users

  8. Step 10: Set user password PUT {{apiPath}}/environments/{{envID}}/users/{{MFAUserID}}/password

  9. Step 12: Create the device authentication policy POST {{apiPath}}/environments/{{envID}}/deviceAuthenticationPolicies

  10. Step 13: Set user device (Email) POST {{apiPath}}/environments/{{envID}}/users/{{MFAUserID}}/devices