PingOne SSO
The following guide takes you thorough the process of enabling passwordless biometric authentication on PingOne SSO to provide enhanced password less authentication experience to applications
Authentication: Configure External IdP
Log in to PingOne Admin console for your environment.
Create an External Identity Provider
Select the Custom option to create an OpenID Connect IdP
Fill in IdP profile details
Provide OIDC Connection details
Client ID: Provided by Keyless Account team
Client Secret:
OIDC Discover Document URI: Provided by
Click on Use Discovery Document link to populate OIDC endpoints
Fill in OIDC scopes: openid profile email
Make a note of the callback URL generated by PingOne: This will be required by Keyless Account team
Provide OIDC attribute mapping between PingOne & Keyless IdP. Note that Keyless IDP will return username in
preferred_username
attribute on the incoming claimEnable External IdP just created
Summary of Configuration on Keyless IdP
Update Authentication Policy to include Keyless External IdP
Under Experiences-> Authentication Policies -> Single Factor Add Keyless External IDP as a IdP to be presented on Login
Send the call back URL to the Keyless team.
This completes configuration of Keyless as External Identity Provider
Keyless Enrollment: SP/RP Configuration
For enrollment with keyless we'll need to create a new Application on PingOne for Keyless OIDC Service provider.
Create an OIDC application of type Web App
![](../../.gitbook/assets/KL_P1_SP_001 (1).png)
Select OIDC and click on Configure link/button to continue to OIDC configuration
Provide a name, optionally a description and an icon that can be uploaded
Enter OIDC redirect URL provided by Keyless
Configure OIDC scopes: openid, profile & email
Configure Attribute mapping:
preferred_username
is the outbound attribute that would be populated with users email address as below:On completion OIDC application configuration would look like the following, relevant items highlighted below can be edited and saved here
This completes the OIDC Service Provider/ Keyless Enrollment end of configuration.
Keyless Enrollment
From a web browser navigate to the enrollment URL provided by Keyless account team. Browser will follow redirect an take you to PingOne Logon page where you'll need to authenticate with PingOne credentials:
On successful authentication browser gets redirected to Keyless enrollment site where you can enroll your mobile device by scanning the QR code displayed on screen
Keyless Authentication
From a web browser navigate to an application secured using PingOne SSO solution such as: https://apps.pingone.com/<your-tenant-id>/myapps/
Authenticate with Keyless option on the logon screen will initiate passwordless authentication with Keyless
Your enrolled mobile device will receive a notification to perform a biometric authentication
On initial logon with Keyless PingOne performs account linking and you may have to enter your password
Last updated