The following guide takes you thorough the process of enabling passwordless biometric authentication on PingOne SSO to provide enhanced password less authentication experience to applications
Following is a short video to demonstrate Keyless authentication experience to PingOne Enduser Portal.
Keyless Authentication to PingOne End User Portal
In our next short video we'll go over the process of enrolling a PingOne user to Keyless
Our final short clip is to demonstrate the initial login with Keyless to PingOne where a linked account is created on PingOne. This is a one time only step: once the accounts are linked authentication process works as shown on our very first clip
Authentication: Configure External IdP
Logon to PingOne Admin console for your environment.
Create an External Identity Provider
โ
โ
Select the Custom option to create an OpenID Connect IdP
โ
โ
โ
Fill in IdP profile details
โ
โ
Provide OIDC Connection details
Client ID: Provided by Keyless Account team
Client Secret:
OIDC Discover Document URI: Provided by
Click on Use Dicovery Document link to populate OIDC endpoints
Fill in OIDC scopes: openid profile email
Make a note of the callback URL generated by PingOne: This will be required by Keyless Account team
Provide OIDC attribute mapping between PingOne & Keyless IdP
Note that Keyless IDP will return username in preferred_username attribute on teh incoming claim
Enable Exernal IdP just created
โ
Summary of Configuration on Keyless IdP
OIDC Connection configuration summary
OIDC Attribute mapping
Update Authentication Policy to include Keyless External IdP
Under Experiences-> Authenticaiton Policies -> Single Factor Add Keyless External IDP as a IdP to be presented on Login
This completes configuration of Keyless as External Identity Provider
Keyless Enrolment: SP/RP Configuration
For enrolment with keyless we'll need to create a new Application on PingOne for Keyless OIDC Service provider.
Create an OIDC application of type Web App
Select OIDC and click on Configure link/button to continue to OIDC configuration
Provide a name, optionally a description and an icon that can be uploaded
Enter OIDC redirect URL provided by Keyless
Configure OIDC scopes: openid, profile & email
Configure Attribute mapping: preferred_username is the outbound attribute that would be populated with users email address as below:
On completion OIDC application configuration would look like the following, relevant items highlighted below can be edited and saved here
This completes the OIDC Service Provider/ Keyless Enrolment end of configuration.
Keyless Enrolment
From a webrowser navigate to the enrolment URL provided by Keyless account team. Browser will follow redirect an take you to PingOne Logon page where you'll need to authenticate with PingOne credentials:
On succesful authentication browser gets redirected to Keyless enrolment site where you can enroll your mobile device by scanning the QR code displayed on screen
Keyless Authentication
From a web briwser navigate to an application secured using PingOne SSO solution e.g. PingOne Application Portal URL: https://apps.pingone.com/<<your-tenant-id>>/myapps/
Authenticate with Keyless option on the logon screen will initiate passwordless authentication with Keyless
Your enrolled mobile device will receive a notification to perfrom a biometric authentication
On initial logon with Keyless PingOne performs account linking and you may have to enter your password