Configure XFA as an Authentication Factor on Ping Identity
To make sure that every device in your organization is secure, XFA can be configured on Ping Identity to verify each device as part of the authentication to all applications connected to Ping Identity. This guide will walk you through the steps to configure XFA as an Authentication Factor of the type 'External IdP' and enforce its usage.
Note: This guide assumes that you have an account set up with XFA for your organization and you're an admin for that organization on both XFA and Ping Identity. If you do not have an account for XFA, you can create one at https://dashboard.xfa.tech/signup.
Create an integration in XFA Dashboard
After logging in to the XFA Dashboard, navigate to the Enforcement page, click on New and select PingIdentity as the integration type. The page will show several values you will need during the next steps. It also contains the field Callback URL that you will have to fill with a value from the Ping Identity administration portal during the following step.
Keep this page opened during the next step.
Create an External IdP to use as Authentication Factor in Ping Identity
1. Create an External IdP
In the administration portal of Ping Identity (log in to Ping Identity and click Administrators on the left menu), navigate to Integrations > External IdPs and click on + Add Provider.
Choose OpenID Connect as the type of the new External IdP which you can find in the Custom section.
Fill in 'XFA' as a name, and fill in an optional description. When pressing the logo shown on the page, you can upload a different logo. You can download the XFA logo from the XFA Dashboard on the page you have left open from the previous step.
Press Continue
2. Configure the External IdP
Fill out the following details, copying them from the XFA Dashboard:
Connection Details
- Client ID
- Client Secret
- Copy the Callback URL back to the XFA Dashboard page.
Discovery Details
- Leave the Discovery Document URI empty
- Authorization Endpoint
- Token Endpoint
- JWKS URI
- Issuer
- User Information Endpoint
- Requested Scopes
- Set Token Endpoint Authentication Method to Client Secret Post
Click Save and Continue to create the External IdP.
Leave the values as is on the Map Attributes page, and click Save and Finish.
3. Create a new Authentication Factor
In the administration portal of Ping Identity, navigate to Authentication > Authentication, click on + Add Policy.
Give the policy a name such as 'XFA'.
Next, select Login as the first factor, leave the settings as is (or modify them to your liking).
- Click Add Step and select External Identity Provider as the second factor.
- Under External Identity Provider use the dropdown to select the one you've just created in the previous step.
- Select Pass user context to provider
- Click Save
Apply the policy to applications
In the Ping Identity portal, go to Applications > Applications and select the application you want to enforce XFA on.
Select Policies, and check the policy you've just created in the previous step.
Now, when logging into that application you will be prompted to verify your device through XFA after successfully logging in using your regular login.
Won't I lose my 2FA identity verification?
In Ping Identity you can have more than 1 extra factor, so you could also set a 2FA identity verification. However, the smoothest experience is gained through XFA, we provide 'silent MFA', which allows you to verify your identity through known devices which you've explicitly trusted with XFA. In this way your device act as a second factor. Read our documentation about silent MFA for more information.
Advanced Settings
For more advanced settings, such as limiting the factor to certain users, or only letting XFA show up in certain cases, please refer to the Ping Identity documentation.