-
Notifications
You must be signed in to change notification settings - Fork 0
/
pingone-mfa.yml
2739 lines (2739 loc) · 94.9 KB
/
pingone-mfa.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
openapi: 3.1.0
info:
title: PingOne Platform API - PingOne MFA
description: The PingOne Platform API covering the PingOne MFA service
version: '2023-06-29'
externalDocs:
url: https://apidocs.pingidentity.com/pingone/platform/v1/api/#pingone-mfa
description: PingOne Platform API Reference - PingOne MFA APIs
servers:
- url: '{protocol}://{baseDomain}.{suffix}/v1'
description: PingOne Platform API Endpoint
variables:
suffix:
enum:
- 'asia'
- 'ca'
- 'com'
- 'com.au'
- 'eu'
default: 'com'
baseDomain:
default: 'api.pingone'
protocol:
default: 'https'
- url: '{protocol}://{baseHostname}/v1'
description: PingOne Platform API Endpoint
variables:
baseHostname:
default: 'api.pingone.com'
protocol:
default: 'https'
components:
securitySchemes:
bearer:
type: http
scheme: bearer
bearerFormat: JWT
description: OAuth bearer token (see documentation)
schemas:
LinksHATEOAS:
x-pingidentity-paginatedresponse-links: true
type: object
readOnly: true
additionalProperties:
type: object
properties:
href:
type: string
format: uri
description: The HREF of the link.
required:
- href
DeviceAuthenticationPolicyFIDODevice:
type: object
deprecated: true
properties:
enabled:
type: boolean
description: Enabled or disabled in the policy.
pairingDisabled:
type: boolean
description: You can set `pairingDisabled` to true to prevent users from pairing new devices with the relevant method. You can use this option if you want to phase out an existing authentication method but want to allow users to continue using the method for authentication for existing devices.
fidoPolicyId:
type: string
description: Specifies the FIDO policy UUID. This property can be null. When null, the environment's default FIDO Policy is used.
required:
- enabled
DeviceAuthenticationPolicyOfflineDevice:
type: object
properties:
enabled:
type: boolean
description: Enabled or disabled in the policy.
pairingDisabled:
type: boolean
description: You can set `pairingDisabled` to true to prevent users from pairing new devices with the relevant method. You can use this option if you want to phase out an existing authentication method but want to allow users to continue using the method for authentication for existing devices.
otp:
type: object
properties:
lifeTime:
type: object
properties:
duration:
type: integer
description: The duration (number of time units) that the passcode is valid before it expires.
timeUnit:
$ref: '#/components/schemas/EnumTimeUnit'
required:
- duration
- timeUnit
failure:
type: object
properties:
count:
type: integer
description: The maximum number of times that the OTP entry can fail for a user, before they are blocked.
coolDown:
type: object
properties:
duration:
type: integer
description: The duration (number of time units) the user is blocked after reaching the maximum number of passcode failures.
timeUnit:
$ref: '#/components/schemas/EnumTimeUnit'
required:
- duration
- timeUnit
required:
- count
- coolDown
otpLength:
type: integer
description: Used to specify the length of the OTP that is shown to users. Minimum length is `6` digits and maximum is `10` digits. If the parameter is not provided, the default is `6` digits.
default: 6
minimum: 6
maximum: 10
required:
- lifeTime
- failure
promptForNicknameOnPairing:
type: boolean
description: Set to `true` if you want to allow users to provide nicknames for devices during pairing.
required:
- enabled
- otp
DeviceAuthenticationPolicy:
type: object
properties:
'_links':
$ref: '#/components/schemas/LinksHATEOAS'
environment:
$ref: '#/components/schemas/ObjectEnvironment'
id:
type: string
description: Device authentication policy's UUID.
readOnly: true
name:
type: string
description: Device authentication policy's name.
newDeviceNotification:
$ref: '#/components/schemas/EnumMFADevicePolicyNewDeviceNotification'
authentication:
type: object
description: An object that contains the device selection settings.
properties:
deviceSelection:
$ref: '#/components/schemas/EnumMFADevicePolicySelection'
required:
- deviceSelection
sms:
$ref: '#/components/schemas/DeviceAuthenticationPolicyOfflineDevice'
voice:
$ref: '#/components/schemas/DeviceAuthenticationPolicyOfflineDevice'
email:
$ref: '#/components/schemas/DeviceAuthenticationPolicyOfflineDevice'
fido2:
type: object
properties:
enabled:
type: boolean
description: A boolean that specifies whether the method is enabled or disabled in the policy.
pairingDisabled:
type: boolean
description: You can set `pairingDisabled` to true to prevent users from pairing new devices with the relevant method. You can use this option if you want to phase out an existing authentication method but want to allow users to continue using the method for authentication for existing devices.
fido2PolicyId:
type: string
description: Specifies the UUID that represents the FIDO2 policy in PingOne. This property can be null. When null, the environment's default FIDO2 Policy is used.
promptForNicknameOnPairing:
type: boolean
description: Set to `true` if you want to allow users to provide nicknames for devices during pairing.
required:
- enabled
mobile:
type: object
description: Mobile device authentication policy settings.
properties:
enabled:
type: boolean
description: A boolean that specifies whether the method is enabled or disabled in the policy.
otp:
type: object
properties:
failure:
type: object
properties:
count:
type: integer
description: The maximum number of times that the OTP entry can fail for a user, before they are blocked.
coolDown:
type: object
properties:
duration:
type: integer
description: The duration (number of time units) the user is blocked after reaching the maximum number of passcode failures.
timeUnit:
$ref: '#/components/schemas/EnumTimeUnit'
required:
- duration
- timeUnit
required:
- count
- coolDown
window:
type: object
properties:
stepSize:
type: object
properties:
duration:
type: integer
timeUnit:
$ref: '#/components/schemas/EnumTimeUnit'
required:
- duration
- timeUnit
required:
- stepSize
required:
- failure
applications:
type: array
items:
type: object
properties:
id:
type: string
description: The application's ID.
push:
type: object
properties:
enabled:
type: boolean
description: Specifies whether push notification is enabled or disabled for the policy.
required:
- enabled
pushTimeout:
type: object
properties:
duration:
type: integer
description: The amount of time a user has to respond to a push notification before it expires. Minimum is 40 seconds and maximum is 150 seconds. If this parameter is not provided, the duration is set to 40 seconds.
minimum: 40
maximum: 150
default: 40
timeUnit:
$ref: '#/components/schemas/EnumTimeUnitPushTimeout'
required:
- duration
- timeUnit
pairingKeyLifetime:
type: object
properties:
duration:
type: integer
description: The amount of time an issued pairing key can be used until it expires. Minimum is 1 minute and maximum is 48 hours. If this parameter is not provided, the duration is set to 10 minutes.
default: 10
timeUnit:
$ref: '#/components/schemas/EnumTimeUnitPairingKeyLifetime'
required:
- duration
- timeUnit
pushLimit:
type: object
properties:
count:
type: integer
description: The number of consecutive push notifications that can be ignored or rejected by a user within a defined period before push notifications are blocked for the application. The minimum value is 1 and the maximum value is 50. If this parameter is not provided, the default value is 5.
minimum: 1
maximum: 50
default: 5
lockDuration:
type: object
properties:
duration:
type: integer
description: The length of time that push notifications should be blocked for the application if the defined limit has been reached. The minimum value is 1 minute and the maximum value is 120 minutes. If this parameter is not provided, the default value is 30 minutes.
default: 30
timeUnit:
$ref: '#/components/schemas/EnumTimeUnit'
required:
- duration
- timeUnit
timePeriod:
type: object
properties:
duration:
type: integer
description: The time period in which the push notifications are counted towards the defined limit. The minimum value is 1 minute and the maximum value is 120 minutes. If this parameter is not provided, the default value is 10 minutes.
default: 10
timeUnit:
$ref: '#/components/schemas/EnumTimeUnit'
required:
- duration
- timeUnit
otp:
type: object
properties:
enabled:
type: boolean
description: Specifies whether OTP authentication is enabled or disabled for the policy.
required:
- enabled
deviceAuthorization:
type: object
properties:
enabled:
type: boolean
description: Specifies the enabled or disabled state of automatic MFA for native devices paired with the user, for the specified application.
extraVerification:
$ref: '#/components/schemas/EnumMFADevicePolicyMobileExtraVerification'
required:
- enabled
autoEnrollment:
type: object
properties:
enabled:
type: boolean
description: Set to true if you want the application to allow Auto Enrollment. Auto Enrollment means that the user can authenticate for the first time from an unpaired device, and the successful authentication will result in the pairing of the device for MFA.
required:
- enabled
pairingDisabled:
type: boolean
description: You can set `pairingDisabled` to true to prevent users from pairing new devices with the relevant method. You can use this option if you want to phase out an existing authentication method but want to allow users to continue using the method for authentication for existing devices.
integrityDetection:
$ref: '#/components/schemas/EnumMFADevicePolicyMobileIntegrityDetection'
required:
- id
promptForNicknameOnPairing:
type: boolean
description: Set to `true` if you want to allow users to provide nicknames for devices during pairing.
required:
- enabled
- otp
totp:
type: object
description: TOTP device authentication policy settings.
properties:
enabled:
type: boolean
description: Enabled or disabled in the policy.
pairingDisabled:
type: boolean
description: You can set `pairingDisabled` to true to prevent users from pairing new devices with the relevant method. You can use this option if you want to phase out an existing authentication method but want to allow users to continue using the method for authentication for existing devices.
otp:
type: object
properties:
failure:
type: object
properties:
count:
type: integer
description: The maximum number of times that the OTP entry can fail for a user, before they are blocked.
coolDown:
type: object
properties:
duration:
type: integer
description: The duration (number of time units) the user is blocked after reaching the maximum number of passcode failures.
timeUnit:
$ref: '#/components/schemas/EnumTimeUnit'
required:
- duration
- timeUnit
required:
- count
- coolDown
required:
- failure
promptForNicknameOnPairing:
type: boolean
description: Set to `true` if you want to allow users to provide nicknames for devices during pairing.
uriParameters:
type: object
additionalProperties:
type: string
description: Object that you can use to provide key:value pairs for `otpauth` URI parameters. For example, if you provide a value for the `issuer` parameter, then authenticators that support that parameter will display the text you specify together with the OTP (in addition to the username). This can help users recognize which application the OTP is for. If you intend on using the same MFA policy for multiple applications, choose a name that reflects the group of applications.
required:
- enabled
- otp
securityKey:
deprecated: true
$ref: '#/components/schemas/DeviceAuthenticationPolicyFIDODevice'
platform:
deprecated: true
$ref: '#/components/schemas/DeviceAuthenticationPolicyFIDODevice'
default:
type: boolean
description: A boolean that specifies whether the policy is the default for the environment.
forSignOnPolicy:
type: boolean
deprecated: true
updatedAt:
type: string
format: date-time
readOnly: true
description: The time the resource was last updated.
required:
- name
- sms
- email
- voice
- mobile
- totp
- default
- forSignOnPolicy
DeviceAuthenticationPolicyMigrate:
type: object
properties:
migrationData:
type: array
items:
$ref: '#/components/schemas/DeviceAuthenticationPolicyMigrateData'
required:
- migrationData
DeviceAuthenticationPolicyMigrateData:
type: object
properties:
deviceAuthenticationPolicyId:
type: string
description: The ID of the device authentication policy.
fido2PolicyId:
type: string
description: The ID of the FIDO2 policy.
required:
- deviceAuthenticationPolicyId
EnumDeviceAuthenticationPolicyPostContentType:
type: string
enum: [application/json, application/vnd.pingidentity.deviceAuthenticationPolicy.fido2.migrate+json]
EnumFIDOAttestationRequirements:
type: string
enum: [NONE, AUDIT_ONLY, GLOBAL, CERTIFIED, SPECIFIC]
description: |
Determines whether attestation is requested from the authenticator, and whether this information is used to restrict authenticator usage. Can take one of these values:
`NONE` - attestation is not requested
`AUDIT_ONLY` - Attestation is requested and the information is used for logging purposes, but the information is not used for filtering authenticators
`GLOBAL` - all entries in the MDS table can be used for authentication
`CERTIFIED` - only FIDO-certified authenticators can be used
`SPECIFIC` - only specific authenticators can be used. Used in conjunction with `allowedAuthenticators`.
EnumFIDOResidentKeyRequirement:
type: string
enum: [DISCOURAGED, REQUIRED]
description: Used to enable resident keys. Value can be `DISCOURAGED` or `REQUIRED`.
EnumFIDO2PolicyAttestationRequirements:
type: string
enum: [DIRECT, NONE]
description: Set to `DIRECT` if you want to require attestation. Set to `NONE` if you don't want to require attestation. If you set `attestationRequirements` to `NONE`, you should also set `mdsAuthenticatorsRequirements.option` to `NONE`.
EnumFIDO2PolicyAuthenticatorAttachment:
type: string
enum: [PLATFORM, CROSS_PLATFORM, BOTH]
description: |
Used to control the type of authenticators that are allowed. Can be one of the following values:
- `PLATFORM` - only allow the use of FIDO device authenticators that contain an internal authenticator (such as a face or fingerprint scanner)
- `CROSS_PLATFORM` - allow use of cross-platform authenticators, which are external to the accessing device (such as a security key)
- `BOTH` - allow both categories of authenticators
EnumFIDO2PolicyDiscoverableCredentials:
type: string
enum: [DISCOURAGED, REQUIRED, PREFERRED]
description: |
Use this field to specify when registered users can authenticate without providing credentials. The possible values are:
- `DISCOURAGED` - discoverable credentials are not used, even when supported by the FIDO device. In cases where use of discoverable credentials is required by the FIDO device itself, this setting does not override the device setting.
- `REQUIRED` - require the use of discoverable credentials. This option is required for usernameless authentication.
- `PREFERRED` - use discoverable credentials where possible.
EnumFIDO2PolicyMDSAuthenticatorOption:
type: string
enum: [NONE, AUDIT_ONLY, GLOBAL, CERTIFIED, SPECIFIC]
description: |
Use `option` to specify the types of devices you want to allow on the basis of the attestation provided. Can be one of the following values:
- `NONE` - do not request attestation, allow all FIDO devices
- `AUDIT_ONLY` - attestation is requested and the information is used for logging purposes, but the information is not used for filtering authenticators
- `GLOBAL` - allow use of all FIDO authenticators listed in the Global Authenticators table.
- `CERTIFIED` - allow only FIDO Certified authenticators
- `SPECIFIC` - allow only the authenticators specified with the `mdsAuthenticatorsRequirements.allowedAuthenticators` parameter.
EnumFIDO2PolicyUserVerificationOption:
type: string
enum: [REQUIRED, DISCOURAGED, PREFERRED]
description: |
Can be one of the following values:
- `REQUIRED` - only FIDO devices supporting user verification can be used
- `DISCOURAGED` - user verification is not required, even when supported by the FIDO device. In cases where user verification is required by the FIDO device itself, this setting does not override the device setting.
- `PREFERRED` - user verification is required if the user's FIDO device supports it, but is not required if the user's device does not support it.
For usernameless flows, only FIDO devices supporting user verification can be used, regardless of the value you set for `userVerification.option`.
EnumMFADevicePolicyMobileExtraVerification:
type: string
description: Specifies the level of further verification when deviceAuthorization is enabled. The PingOne platform performs an extra verification check by sending a “silent” push notification to the customer native application, and receives a confirmation in return.
enum: [permissive,restrictive]
EnumMFADevicePolicyMobileIntegrityDetection:
type: string
enum: [permissive, restrictive]
description: Controls how authentication or registration attempts should proceed if a device integrity check does not receive a response. Set the value to `permissive` if you want to allow the process to continue. Set the value to `restrictive` if you want to block the user in such situations.
EnumMFADevicePolicyNewDeviceNotification:
type: string
enum: [NONE, EMAIL_THEN_SMS, SMS_THEN_EMAIL]
description: |
Use `newDeviceNotification` to control whether a user should be notified if a new authentication method has been added to their account. Can take one of the following values:
- `NONE` - don't notify the user when a new authentication method is added.
- `EMAIL_THEN_SMS` - notify the user by email. If there is no email address in the user profile, notify the user by SMS. If there is no phone number either, don't notify the user.
- `SMS_THEN_EMAIL` - notify the user by SMS. If there is no phone number in the user profile, notify the user by email. If there is no email address either, don't notify the user.
If the parameter is not provided, the default value is `EMAIL_THEN_SMS`.
EnumMFADevicePolicySelection:
type: string
enum: [DEFAULT_TO_FIRST, PROMPT_TO_SELECT, ALWAYS_DISPLAY_DEVICES]
description: |
The default method that should be used for authentication. Can take one of the following values:
* `DEFAULT_TO_FIRST` - use the method that the user set as their default
* `PROMPT_TO_SELECT` - always have the user select the method to use if there is more than one method available
* `ALWAYS_DISPLAY_DEVICES` - always have the user select the method to use even if there is only one method available
If this parameter is not provided, the `DEFAULT_TO_FIRST` option is used.
EnumMFAPushCredentialAttrType:
type: string
enum: [APNS, FCM, HMS, FCM_HTTP_V1]
description: |
Specifies the push credential type.
Valid values:
* APNS (for Apple)
* FCM_HTTP_V1 (for Google)
* FCM (deprecated, used previously for Google)
* HMS (for Huawei)
EnumMFASettingsDeviceSelection:
type: string
deprecated: true
enum: [DEFAULT_TO_FIRST, PROMPT_TO_SELECT]
description: A string that defines the device selection method. Options are DEFAULT_TO_FIRST (this is the default setting) and PROMPT_TO_SELECT.
EnumMFASettingsPairingKeyFormat:
type: string
enum: [NUMERIC, ALPHANUMERIC]
description: String that controls the type of pairing key issued. The valid values are NUMERIC (12-digit key) and ALPHANUMERIC (16-character alphanumeric key).
EnumTimeUnit:
type: string
enum: [MINUTES, SECONDS]
description: The type of time unit
EnumTimeUnitPairingKeyLifetime:
type: string
enum: [MINUTES, HOURS]
description: The time unit for the `pairingKeyLifetime.duration` parameter.
EnumTimeUnitPushTimeout:
type: string
enum: [SECONDS]
description: The time unit for the `pushTimeout.duration` parameter. Currently, the only permitted value is `SECONDS`.
FIDOCustomDeviceMetadata:
type: object
FIDODevice:
type: object
FIDOPolicy:
type: object
deprecated: true
properties:
'_links':
$ref: '#/components/schemas/LinksHATEOAS'
id:
type: string
description: FIDO policy's UUID.
readOnly: true
createdAt:
type: string
format: date-time
readOnly: true
description: The time the resource was created.
updatedAt:
type: string
format: date-time
readOnly: true
description: The time the resource was last updated.
_embedded:
type: object
environment:
$ref: '#/components/schemas/ObjectEnvironment'
name:
type: string
description: The name to use for the FIDO policy.
description:
type: string
description: Description of the FIDO policy.
attestationRequirements:
$ref: '#/components/schemas/EnumFIDOAttestationRequirements'
allowedAuthenticators:
type: array
description: If `attestationRequirements` is set to `SPECIFIC`, this array is used to specify the authenticators that you want to allow.
items:
type: object
properties:
id:
type: string
description: The identifier of the authenticator to allow.
required:
- id
enforceDuringAuthentication:
type: boolean
description: This parameter is relevant only if you have set `attestationRequirements` to `SPECIFIC` in order to restrict usage to only certain authenticators. If set to `true`, the policy will be applied both during registration and during each authentication attempt. If set to `false`, the policy is applied only during registration. Default is `false`.
default: false
default:
type: boolean
description: Whether this policy should serve as the default FIDO policy.
residentKeyRequirement:
$ref: '#/components/schemas/EnumFIDOResidentKeyRequirement'
required:
- name
- attestationRequirements
- residentKeyRequirement
FIDO2Policy:
type: object
properties:
'_links':
$ref: '#/components/schemas/LinksHATEOAS'
id:
type: string
description: FIDO policy's UUID.
readOnly: true
environment:
$ref: '#/components/schemas/ObjectEnvironment'
createdAt:
type: string
format: date-time
readOnly: true
description: The time the resource was created.
updatedAt:
type: string
format: date-time
readOnly: true
description: The time the resource was last updated.
attestationRequirements:
$ref: '#/components/schemas/EnumFIDO2PolicyAttestationRequirements'
authenticatorAttachment:
$ref: '#/components/schemas/EnumFIDO2PolicyAuthenticatorAttachment'
backupEligibility:
type: object
description: Used to control whether users should be allowed to register and authenticate with a device that uses cloud-synced credentials, such as a passkey.
properties:
allow:
type: boolean
description: Set to `true` if you want to let users register and authenticate with a device that uses cloud-synced credentials. Set to `false` if you don't want to allow this.
enforceDuringAuthentication:
type: boolean
description: Set to `true` if you want the backup eligibility of the device to be checked again at each authentication attempt and not just once during registration. Set to `false` to have it checked only at registration.
required:
- allow
- enforceDuringAuthentication
default:
type: boolean
description: Whether this policy should serve as the default FIDO policy.
description:
type: string
description: Description of the FIDO policy.
deviceAuthenticationPolicies:
type: array
description: The device authentication policies that use the relevant FIDO policy. If you include the parameter `expand=deviceAuthenticationPolicies` in the URL of the request, this array is included in the response when reading FIDO policies. Each object in the array contains the ID and the name of the device authentication policy.
readOnly: true
items:
type: string
deviceDisplayName:
type: string
description: The name to display for the device in registration and authentication windows. Can be up to 100 characters. If you want to use translatable text, you can use any of the keys listed on the *FIDO Policy* page of the *Self-Service* module and the *Sign On Policy* module. The value of the parameter should include only the part of the key name that comes after the module name, for example, `fidoPolicy.deviceDisplayName01` or `fidoPolicy.deviceDisplayName07`. See the pages in the UI for the full list of keys. For more information on translatable keys, see [Modifying translatable keys](https://docs.pingidentity.com/access/sources/dita/topic?category=p1&resourceid=pingone_modifying_translatable_keys) in the PingOne documentation.
maxLength: 100
discoverableCredentials:
$ref: '#/components/schemas/EnumFIDO2PolicyDiscoverableCredentials'
mdsAuthenticatorsRequirements:
type: object
description: Used to specify whether attestation is requested from the authenticator, and whether this information is used to restrict authenticator usage.
properties:
allowedAuthenticators:
type: array
description: If you set `mdsAuthenticatorsRequirements.option` to `SPECIFIC`, use this array to specify the authenticators that you want to allow.
items:
type: object
properties:
id:
type: string
description: The mdsIdentitfer of the authenticator to allow.
required:
- id
enforceDuringAuthentication:
type: boolean
description: Set to true if you want the device characteristics related to attestation to be checked again at each authentication attempt and not just once during registration. Set to false to have them checked only at registration.
option:
$ref: '#/components/schemas/EnumFIDO2PolicyMDSAuthenticatorOption'
required:
- enforceDuringAuthentication
- option
name:
type: string
description: The name to use for the FIDO policy. Can be up to 256 characters.
maxLength: 256
relyingPartyId:
type: string
description: The ID of the relying party. The value should be a domain name, such as `example.com` (in lower-case characters).
userDisplayNameAttributes:
type: object
description: Used to specify the string associated with the users's account that is displayed during registration and authentication.
properties:
attributes:
type: array
description: |
List of strings associated with the users's account that can be displayed during registration and authentication. Each object in the array is a name:value pair where the first part is "name" and the second is the name of the user attribute, for example, `{"name": "username"}`, `{"name": "email"}`. If you want to use the "name" attribute for the user, you must also specify the "subAttributes", which can be either the "given" and "family" user attributes or the "formatted" user attribute. For example, `{"name": “name”, “subAttributes”:[{“name”: “given”}, {“name”: “family”}]}, {"name": "email"}` or `{"name": “name”, “subAttributes”:[{“name”: “formatted”}]}, {"name": "email"}`.
- The content of the list should reflect the preferred order.
- If the first attribute is empty for the user, PingOne will continue through the list until a non-empty attribute is found.
- You can specify any user attribute (including custom attributes) that meet the following criteria: attribute type must be String, validation cannot be set to enumerated values.
- The array must contain the user attribute "username" - to ensure that there is at least one non-empty attribute.
- You can have a maximum of six user attributes in the list.
items:
type: object
properties:
name:
type: string
description: The name of the attribute to use for the user display name.
subAttributes:
type: array
description: The sub-attributes to use for the user display name.
items:
type: object
properties:
name:
type: string
description: The name of the sub-attribute to use for the user display name.
required:
- name
required:
- name
required:
- attributes
userVerification:
type: object
description: Used to control whether the user must perform a gesture (such as a public key credential, fingerprint scan, or a PIN code) when registering or authenticating with their FIDO device.
properties:
enforceDuringAuthentication:
type: boolean
description: Set to `true` if you want the device characteristics related to user verification to be checked again at each authentication attempt and not just once during registration. Set to `false` to have them checked only at registration.
option:
$ref: '#/components/schemas/EnumFIDO2PolicyUserVerificationOption'
required:
- enforceDuringAuthentication
- option
required:
- attestationRequirements
- authenticatorAttachment
- backupEligibility
- deviceDisplayName
- discoverableCredentials
- mdsAuthenticatorsRequirements
- name
- relyingPartyId
- userDisplayNameAttributes
- userVerification
MFAPushCredential:
type: object
properties:
type:
$ref: '#/components/schemas/EnumMFAPushCredentialAttrType'
required:
- type
MFAPushCredentialAPNS:
allOf:
- $ref: '#/components/schemas/MFAPushCredential'
- type: object
properties:
key:
type: string
format: password
description: A string that Apple uses as an identifier to identify an authentication key. Mandatory.
teamId:
type: string
description: A string that Apple uses as an identifier to identify teams.
token:
type: string
format: password
description: A string that Apple uses as the authentication token signing key to securely connect to APNS. This is a p8 file with a private key format.
required:
- key
- teamId
- token
MFAPushCredentialFCM:
deprecated: true
allOf:
- $ref: '#/components/schemas/MFAPushCredential'
- type: object
deprecated: true
properties:
key:
type: string
format: password
description: A string that Apple uses as an identifier to identify an authentication key. Mandatory.
deprecated: true
required:
- key
MFAPushCredentialFCMHTTPV1:
allOf:
- $ref: '#/components/schemas/MFAPushCredential'
- type: object
properties:
googleServiceAccountCredentials:
type: string
format: password
description: Used when `type` is set to `FCM_HTTP_V1`. The value should be the contents of the JSON file that represents your Service Account Credentials.
required:
- googleServiceAccountCredentials
MFAPushCredentialHMS:
allOf:
- $ref: '#/components/schemas/MFAPushCredential'
- type: object
properties:
clientId:
type: string
description: Used only if type is set to HMS. OAuth 2.0 Client ID from the Huawei Developers API console.
clientSecret:
type: string
format: password
description: Used only if type is set to HMS. The client secret associated with the OAuth 2.0 Client ID.
required:
- clientId
- clientSecret
MFAPushCredentialRequest:
oneOf:
- $ref: '#/components/schemas/MFAPushCredentialAPNS'
- $ref: '#/components/schemas/MFAPushCredentialFCM'
- $ref: '#/components/schemas/MFAPushCredentialFCMHTTPV1'
- $ref: '#/components/schemas/MFAPushCredentialHMS'
discriminator:
propertyName: type
mapping:
APNS: '#/components/schemas/MFAPushCredentialAPNS'
FCM: '#/components/schemas/MFAPushCredentialFCM'
HMS: '#/components/schemas/MFAPushCredentialHMS'
FCM_HTTP_V1: '#/components/schemas/MFAPushCredentialFCMHTTPV1'
MFAPushCredentialResponse:
type: object
properties:
'_links':
$ref: '#/components/schemas/LinksHATEOAS'
id:
type: string
readOnly: true
description: A string that specifies the push credential ID.
type:
$ref: '#/components/schemas/EnumMFAPushCredentialAttrType'
createdAt:
type: string
format: date-time
readOnly: true
description: The time the resource was created.
updatedAt:
type: string
format: date-time
readOnly: true
description: The time the resource was last updated.
MFASettings:
type: object
properties:
'_links':
$ref: '#/components/schemas/LinksHATEOAS'
environment:
$ref: '#/components/schemas/ObjectEnvironment'
authentication:
type: object
deprecated: true
description: An object that contains the device selection settings.
properties:
deviceSelection:
$ref: '#/components/schemas/EnumMFASettingsDeviceSelection'
required:
- deviceSelection
lockout:
type: object
description: An object that contains lockout settings.
properties:
failureCount:
type: integer
description: An integer that defines the maximum number of incorrect authentication attempts before the account is locked.
durationSeconds:
type: integer
description: An integer that defines the number of seconds to keep the account in a locked state.
required:
- failureCount
pairing:
type: object
description: An object that contains pairing settings.
properties:
maxAllowedDevices:
type: integer
description: An integer that defines the maximum number of MFA devices each user can have. This can be any number up to 15. The default value is 5.
default: 5
maximum: 15
pairingKeyFormat:
$ref: '#/components/schemas/EnumMFASettingsPairingKeyFormat'
required:
- maxAllowedDevices
- pairingKeyFormat
phoneExtensions:
type: object
description: Contains settings for phone extension support.
properties:
enabled:
type: boolean
description: Set to `true` to allow one-time passwords to be delivered via voice to phone numbers that include extensions. Set to `false` to disable support for phone numbers with extensions. By default, support for extensions is disabled.
updatedAt:
type: string
format: date-time
readOnly: true
description: The time the resource was last updated.
users:
type: object
description: Contains information about the default settings for new users.
properties:
mfaEnabled:
type: boolean
description: Set `mfaEnabled` to `true` if you want MFA to be enabled by default for new users.
required:
- pairing
ObjectEnvironment:
type: object
readOnly: true
properties:
id:
type: string
readOnly: true
description: A string that specifies the environment associated with the object.
P1Error:
type: object
properties:
id:
description: A unique identifier that is stored in log files and always included in an error response. This value can be used to track the error received by the client, with server-side activity included for troubleshooting purposes.
type: string
code:
description: A general fault code which the client must handle to provide all exception handling routines and to localize messages for users. This code is common across all PingOne services and is human readable (such as a defined constant rather than a number).
type: string
message:
description: A short description of the error. This message is intended to assist with debugging and is returned in English only.
type: string
details:
description: Additional details about the error. Optional information to help resolve the error and to display to users.
type: array
items:
type: object
properties:
code:
description: A general fault code which the client must handle to provide all exception handling routines and to localize messages for users. This code is common across all PingOne services and is human readable (such as a defined constant rather than a number).
type: string
target:
description: The item that caused the error (such as a form field ID or an attribute inside a JSON object).
type: string
message:
description: A short description of the error. This message is intended to assist with debugging and is returned in English only.
type: string
innerError:
description: Additional details to help the client developer resolve the fault (primarily for UI validation reasons).
type: object
properties:
rangeMinimumValue:
description: Errors that failed due to range violation. This attribute represents the minimum value of the range.
type: integer
rangeMaximumValue:
description: The maximum range or value of an attribute.
type: integer
allowedPattern:
description: A regex pattern describing an acceptable input pattern.
type: string
allowedValues:
description: A list describing acceptable values.
type: array
items:
type: string
maximumValue:
description: The maximum value allowed for the request.
type: integer
referencedValues:
type: array
items:
type: string
UserMFAEnabled:
type: object
properties:
'_links':
$ref: '#/components/schemas/LinksHATEOAS'
mfaEnabled:
type: boolean
description: Whether multi-factor authentication is enabled. This attribute is set to `false` by default when the user is created.
required:
- mfaEnabled
responses:
'400':
description: Invalid request received. Malformed JSON, malformed HTTP request.
content:
application/json:
schema:
$ref: '#/components/schemas/P1Error'
'401':
description: Request failed due to authorization issue.
content:
application/json:
schema:
$ref: '#/components/schemas/P1Error'
'403':
description: Request failed due to authorization issue.
content:
application/json:
schema:
$ref: '#/components/schemas/P1Error'
'404':
description: Not found.
content:
application/json:
schema:
$ref: '#/components/schemas/P1Error'