One-Time Passcode Integration Kit

One-Time Passcode IdP Adapter settings reference

Field descriptions for the One-Time Passcode IdP Adapter configuration page.

Standard fields
Field Description

Device Selection

Automatic

The adapter uses the method from the Preferred Delivery Method Attribute or uses the first delivery method that it matches in the Notification Delivery Methods list.

User Choice

The adapter prompts the user to choose the delivery method.

Preferred Delivery Method Attribute

The source attribute that contains the user’s preferred one-time passcode (OTP) delivery method.

If the user has a valid preferred delivery method attribute, it overrides the Automatic and User choice options above.

For example, you enter OTPPreference in this field. You also create a user attribute called OTPPreference in your datastore or pass it to this adapter as a chained attribute.

When Alice signs on, the adapter checks her OTPPreference attribute. The value is sms, which matches one of the Language Properties and Template Key entries in the Notification Delivery Methods table. The adapter automatically sends the OTP to Alice by SMS message.

Attribute Source

The source of the attribute in the Preferred Delivery Method Attribute field and the attributes listed in the Contact Attribute column of the Notification Delivery Methods table.

Select a datastore, or select Chained Attributes if the adapter receives the attributes from earlier in the authentication flow.

Search String

The string that the adapter uses to search the datastore to find the user.

  • For JDBC, enter a "select" statement. For example, select email, phone from <db.table> where username=${userid}.

  • For LDAP, enter an LDAP filter. For example, sAMAccountName=${userid}.

  • For a PingOne datastore, enter the attribute. For example, username=${userid} or id=${userid}s.

  • For REST API datastores, enter the resource path appended to the base URL of the REST API datastore. For example, /users?uid=${userid}.

The ${userid} variable contains the user ID. Your adapter instance receives this from earlier in your PingFederate authentication flow.

Base DN

The base DN that the adapter uses when connecting to an LDAP datastore.

Test User ID

The user ID used to test the configuration on the Actions tab.

Failure Mode

This setting determines whether the adapter should block the user’s sign-on attempt or bypass the OTP requirement when the adapter can’t find the user or contact information in the datastore or chained attributes.

Advanced fields
Field Description

OTP Length

Length of the OTP generated by the adapter.

The default value is 6.

Max OTP Attempts

The maximum number of times the user is allowed to try entering the OTP before authentication fails.

The default value is 3.

Max OTP Resends

The maximum number of times the user is allowed to request a specific OTP to be sent. After reaching this limit, the Resend button on the passcode entry prompt no longer resends the passcode.

The default value is 15.

Show Success Screens

Determines whether the adapter shows an authentication success screen to the user.

This checkbox is selected by default.

Show Error Screens

Determines whether the adapter shows an authentication error screen to the user.

This checkbox is selected by default.

OTP Generator Field

A read-only value used by the adapter.

Do not edit this field.

This field is hidden in PingFederate 10.0 and later.

LDAP Search Scope

When the attribute source is an LDAP datastore, this setting determines the scope of the user search.

Single Level

Searches the immediate children of the base object, but excludes the base object itself.

Include Subtree (default)

Searches all child objects as well as the base object.