PingOne SSO

The following guide takes you thorough the process of enabling passwordless biometric authentication on PingOne SSO to provide enhanced password less authentication experience to applications

Following is a short video to demonstrate Keyless authentication experience to PingOne Enduser Portal.

In our next short video we'll go over the process of enrolling a PingOne user to Keyless

Our final short clip is to demonstrate the initial login with Keyless to PingOne where a linked account is created on PingOne. This is a one time only step: once the accounts are linked authentication process works as shown on our very first clip

Authentication: Configure External IdP

Logon to PingOne Admin console for your environment.

  • Create an External Identity Provider

  • Select the Custom option to create an OpenID Connect IdP

  • Fill in IdP profile details

  • Provide OIDC Connection details

    • Client ID: Provided by Keyless Account team

    • Client Secret:

    • OIDC Discover Document URI: Provided by

    • Click on Use Dicovery Document link to populate OIDC endpoints

    • Fill in OIDC scopes: openid profile email

    • Make a note of the callback URL generated by PingOne: This will be required by Keyless Account team

  • Provide OIDC attribute mapping between PingOne & Keyless IdP

    • Note that Keyless IDP will return username in preferred_username attribute on teh incoming claim

  • Enable Exernal IdP just created

  • Summary of Configuration on Keyless IdP

  • Update Authentication Policy to include Keyless External IdP

    • Under Experiences-> Authenticaiton Policies -> Single Factor Add Keyless External IDP as a IdP to be presented on Login

This completes configuration of Keyless as External Identity Provider

Keyless Enrolment: SP/RP Configuration

For enrolment with keyless we'll need to create a new Application on PingOne for Keyless OIDC Service provider.

  • Create an OIDC application of type Web App

  • Select OIDC and click on Configure link/button to continue to OIDC configuration

  • Provide a name, optionally a description and an icon that can be uploaded

  • Enter OIDC redirect URL provided by Keyless

  • Configure OIDC scopes: openid, profile & email

  • Configure Attribute mapping: preferred_username is the outbound attribute that would be populated with users email address as below:

  • On completion OIDC application configuration would look like the following, relevant items highlighted below can be edited and saved here

This completes the OIDC Service Provider/ Keyless Enrolment end of configuration.

Keyless Enrolment

From a webrowser navigate to the enrolment URL provided by Keyless account team. Browser will follow redirect an take you to PingOne Logon page where you'll need to authenticate with PingOne credentials:

  • On succesful authentication browser gets redirected to Keyless enrolment site where you can enroll your mobile device by scanning the QR code displayed on screen

Keyless Authentication

From a web briwser navigate to an application secured using PingOne SSO solution e.g. PingOne Application Portal URL:<<your-tenant-id>>/myapps/

  • Authenticate with Keyless option on the logon screen will initiate passwordless authentication with Keyless

  • Your enrolled mobile device will receive a notification to perfrom a biometric authentication

  • On initial logon with Keyless PingOne performs account linking and you may have to enter your password

🏁pagePost Integration

Last updated