Known issues and limitations

The PingOne MFA IdP Adapter only supports automatic device enrollment for SMS, voice, and email authentication methods. Users can add other authentication methods directly through the PingOne MFA self-service URL. Learn more in Self service and Managing authentication methods in the PingOne MFA documentation.

If a user has existing authentication methods, but no default is set, the adapter doesn’t set a default authentication method. This scenario can occur if the user was created before PingOne supported default authentication methods.

To use a localized version of the adapter messages file, a copy of the core PingFederate messages file must exist with the same language tag. For example, to allow pingone-mfa-messages_fr.properties to work, create pingfederate-messages_fr.properties.

Setting the OTP Lifetime higher than 15 minutes in the PingOne MFA policy has no effect because PingOne flows expire after 15 minutes of inactivity, making the OTP unusable.

As a security measure, if the user initiates a password reset flow and multi-factor authentication (MFA) isn’t satisfied, the PingOne MFA IdP Adapter fails. For example, this applies when the user clicks the password reset link on the HTML Form Adapter and the PingOne authentication policy dictates that MFA is bypassed for the user.

The PingOne MFA IdP Adapter only adds authentication methods to PingOne. To synchronize authentication methods and other user attributes, use the PingOne Connector provided in the PingOne Integration Kit.