PingOne SSO

The following guide takes you thorough the process of enabling passwordless biometric authentication on PingOne SSO to provide enhanced password less authentication experience to applications
Following is a short video to demonstrate Keyless authentication experience to PingOne Enduser Portal.
Keyless Authentication to PingOne End User Portal
In our next short video we'll go over the process of enrolling a PingOne user to Keyless
Our final short clip is to demonstrate the initial login with Keyless to PingOne where a linked account is created on PingOne. This is a one time only step: once the accounts are linked authentication process works as shown on our very first clip

Authentication: Configure External IdP

Logon to PingOne Admin console for your environment.
  • Create an External Identity Provider
Figure 1
  • Select the Custom option to create an OpenID Connect IdP
  • Fill in IdP profile details
  • Provide OIDC Connection details
    • Client ID: Provided by Keyless Account team
    • Client Secret:
    • OIDC Discover Document URI: Provided by
    • Click on Use Dicovery Document link to populate OIDC endpoints
    • Fill in OIDC scopes: openid profile email
    • Make a note of the callback URL generated by PingOne: This will be required by Keyless Account team
  • Provide OIDC attribute mapping between PingOne & Keyless IdP
    • Note that Keyless IDP will return username in preferred_username attribute on teh incoming claim
  • Enable Exernal IdP just created
  • Summary of Configuration on Keyless IdP
OIDC Connection configuration summary
OIDC Attribute mapping
  • Update Authentication Policy to include Keyless External IdP
    • Under Experiences-> Authenticaiton Policies -> Single Factor Add Keyless External IDP as a IdP to be presented on Login
This completes configuration of Keyless as External Identity Provider

Keyless Enrolment: SP/RP Configuration

For enrolment with keyless we'll need to create a new Application on PingOne for Keyless OIDC Service provider.
  • Create an OIDC application of type Web App
  • Select OIDC and click on Configure link/button to continue to OIDC configuration
  • Provide a name, optionally a description and an icon that can be uploaded
  • Enter OIDC redirect URL provided by Keyless
  • Configure OIDC scopes: openid, profile & email
  • Configure Attribute mapping: preferred_username is the outbound attribute that would be populated with users email address as below:
  • On completion OIDC application configuration would look like the following, relevant items highlighted below can be edited and saved here
This completes the OIDC Service Provider/ Keyless Enrolment end of configuration.

Keyless Enrolment

From a webrowser navigate to the enrolment URL provided by Keyless account team. Browser will follow redirect an take you to PingOne Logon page where you'll need to authenticate with PingOne credentials:
  • On succesful authentication browser gets redirected to Keyless enrolment site where you can enroll your mobile device by scanning the QR code displayed on screen

Keyless Authentication

From a web briwser navigate to an application secured using PingOne SSO solution e.g. PingOne Application Portal URL:<<your-tenant-id>>/myapps/
  • Authenticate with Keyless option on the logon screen will initiate passwordless authentication with Keyless
  • Your enrolled mobile device will receive a notification to perfrom a biometric authentication
  • On initial logon with Keyless PingOne performs account linking and you may have to enter your password