Orchestrator reference
Configuration reference
Connectors
PingID MFA

PingID MFA

The PingID MFA Connector requests authentication from a PingID MFA instance via PPM request. PingID returns the authentication state and attributes in claims to the Orchestrator.

Configuration

The following values can be provided to the PingID MFA connector via the Maverics configuration file.

ppmURL The URL where Maverics will send the PPM request (normally "https://authenticator.pingone.com/pingid/ppm/auth").

secretKey The client secret of the Maverics application used to sign JSON Web Tokens (JWT). The secret must be base64 encoded.

idpAccountID The account ID of the service provider created in PingID.

issuer The issuer claim identifying the principal that issued the JWT.

audience The audience claim identifying the recipients that the JWT is intended for (normally "pingidauthenticator").

mfaCallbackURL The URL that PingID will use to POST the PPM response back to. The Maverics PPM MFA handler will be served on this URL. The URL path can be an arbitrary endpoint such as /stuff/mfa/callback or /maverics-handlers/mfa/callback.

Claim Mapping in Authentication Policy

Using the PingID MFA connector in authentication policy requires a mapping between the PingID username (sent as the “sub” in the PPM request) to a corresponding claim provided by the IDP connector. This matches user’s identity in the first factor (IDP) with their PingID identity. For example:

authentication:
  idps:
    - azure
  mfa:
    - pingid:
        mapping:
          - username: azure.name

Sample Connector Configuration 

connectors:
  - name: pingid
    type: pingid
    ppmURL: "https://authenticator.pingone.com/pingid/ppm/auth"
    secretKey: <example_secret>
    idpAccountID: "0aa0000a-a000-000a-00aaa-a0000aa00000"
    issuer: "Example"
    audience: "pingidauthenticator"
    mfaCallbackURL: "https://maverics.example.com/mfa/callback"

Complete configuration sample with Azure AD 

version: 0.1

tls:
  sonar-app:
    caFile: /etc/maverics/certs/rootCA.pem
  maverics:
    certFile: /etc/maverics/certs/maverics.sonarsystems.co.crt
    keyFile: /etc/maverics/certs/maverics.sonarsystems.co.key

http:
  address: :443
  tls: maverics

session:
  cookie:
    domain: example.com

appgateways:
  - name: Sonar
    basePath: /
    upstream: https://app.sonarsystems.com:8443
    tls: sonar-app
    unauthorizedPage: https://example.com/sonar/accessdenied

    idps:
      - name: azure
      - name: pingid

    headers:
      SM_USER: azure.name
      firstname: azure.name
      lastname: azure.surname

    policies:
      - location: /sonar/accessdenied
        allowUnauthenticated: true
      - location: /sonar
        unauthorizedPage: https://app.sonarsystems.com:8443/sonar/accessdenied
        authentication:
          idps:
            - azure
          mfa:
            - pingid:
                mapping:
                  - username: azure.name

connectors:
  - name: azure
    type: azure
    authType: saml
    samlConsumerServiceURL: https://example.com/saml
    samlLogoutCallbackURL: https://example.com/logout
    samlMetadataURL: https://login.microsoftonline.com/<ID>/federationmetadata/2007-06/federationmetadata.xml?appid=<APP_ID>
    samlEntityID: https://example.com

  - name: pingid
    type: pingid
    ppmURL: "https://authenticator.pingone.com/pingid/ppm/auth"
    secretKey: <example_secret>
    idpAccountID: "0aa0000a-a000-000a-00aaa-a0000aa00000"
    issuer: "Example"
    audience: "pingidauthenticator"
    mfaCallbackURL: "https://maverics.example.com/mfa/callback"
PingFederateSAML