PingOne SSO

The following guide takes you thorough the process of enabling passwordless biometric authentication on PingOne SSO to provide enhanced password less authentication experience to applications

Authentication: Configure External IdP

Log in to PingOne Admin console for your environment.

  1. Create an External Identity Provider

  2. Select the Custom option to create an OpenID Connect IdP

  3. Fill in IdP profile details

  4. Provide OIDC Connection details

    • Client ID: Provided by Keyless Account team

    • Client Secret:

    • OIDC Discover Document URI: Provided by

  5. Click on Use Discovery Document link to populate OIDC endpoints

  6. Fill in OIDC scopes: openid profile email

  7. Make a note of the callback URL generated by PingOne: This will be required by Keyless Account team

  8. Provide OIDC attribute mapping between PingOne & Keyless IdP. Note that Keyless IDP will return username in preferred_username attribute on the incoming claim

  9. Enable External IdP just created

  10. Summary of Configuration on Keyless IdP

  11. Update Authentication Policy to include Keyless External IdP

  12. Under Experiences-> Authentication Policies -> Single Factor Add Keyless External IDP as a IdP to be presented on Login

  13. Send the call back URL to the Keyless team.

This completes configuration of Keyless as External Identity Provider

Keyless Enrollment: SP/RP Configuration

For enrollment with keyless we'll need to create a new Application on PingOne for Keyless OIDC Service provider.

  1. Create an OIDC application of type Web App

    ![](../../.gitbook/assets/KL_P1_SP_001 (1).png)

  2. Select OIDC and click on Configure link/button to continue to OIDC configuration

  3. Provide a name, optionally a description and an icon that can be uploaded

  4. Enter OIDC redirect URL provided by Keyless

  5. Configure OIDC scopes: openid, profile & email

  6. Configure Attribute mapping: preferred_username is the outbound attribute that would be populated with users email address as below:

  7. On completion OIDC application configuration would look like the following, relevant items highlighted below can be edited and saved here

This completes the OIDC Service Provider/ Keyless Enrollment end of configuration.

Keyless Enrollment

From a web browser navigate to the enrollment URL provided by Keyless account team. Browser will follow redirect an take you to PingOne Logon page where you'll need to authenticate with PingOne credentials:

On successful authentication browser gets redirected to Keyless enrollment site where you can enroll your mobile device by scanning the QR code displayed on screen

Keyless Authentication

From a web browser navigate to an application secured using PingOne SSO solution such as: https://apps.pingone.com/<your-tenant-id>/myapps/

  1. Authenticate with Keyless option on the logon screen will initiate passwordless authentication with Keyless

  2. Your enrolled mobile device will receive a notification to perform a biometric authentication

  3. On initial logon with Keyless PingOne performs account linking and you may have to enter your password

Last updated