PingOne SSO
The following guide takes you thorough the process of enabling passwordless biometric authentication on PingOne SSO to provide enhanced password less authentication experience to applications
Following is a short video to demonstrate Keyless authentication experience to PingOne Enduser Portal.
Keyless Authentication to PingOne End User Portal
In our next short video we'll go over the process of enrolling a PingOne user to Keyless
Our final short clip is to demonstrate the initial login with Keyless to PingOne where a linked account is created on PingOne. This is a one time only step: once the accounts are linked authentication process works as shown on our very first clip
Logon to PingOne Admin console for your environment.
- Create an External Identity Provider

- Select the Custom option to create an OpenID Connect IdP

- Fill in IdP profile details

- Provide OIDC Connection details
- Client ID: Provided by Keyless Account team
- Client Secret:
- OIDC Discover Document URI: Provided by
- Click on Use Dicovery Document link to populate OIDC endpoints
- Fill in OIDC scopes: openid profile email
- Make a note of the callback URL generated by PingOne: This will be required by Keyless Account team

- Provide OIDC attribute mapping between PingOne & Keyless IdP
- Note that Keyless IDP will return username in preferred_username attribute on teh incoming claim

- Enable Exernal IdP just created

- Summary of Configuration on Keyless IdP

OIDC Connection configuration summary

OIDC Attribute mapping
- Update Authentication Policy to include Keyless External IdP
- Under Experiences-> Authenticaiton Policies -> Single Factor Add Keyless External IDP as a IdP to be presented on Login

This completes configuration of Keyless as External Identity Provider
For enrolment with keyless we'll need to create a new Application on PingOne for Keyless OIDC Service provider.
- Create an OIDC application of type Web App

- Select OIDC and click on Configure link/button to continue to OIDC configuration

- Provide a name, optionally a description and an icon that can be uploaded

- Enter OIDC redirect URL provided by Keyless

- Configure OIDC scopes: openid, profile & email

- Configure Attribute mapping: preferred_username is the outbound attribute that would be populated with users email address as below:

- On completion OIDC application configuration would look like the following, relevant items highlighted below can be edited and saved here




This completes the OIDC Service Provider/ Keyless Enrolment end of configuration.
From a webrowser navigate to the enrolment URL provided by Keyless account team. Browser will follow redirect an take you to PingOne Logon page where you'll need to authenticate with PingOne credentials:

- On succesful authentication browser gets redirected to Keyless enrolment site where you can enroll your mobile device by scanning the QR code displayed on screen

From a web briwser navigate to an application secured using PingOne SSO solution e.g. PingOne Application Portal URL: https://apps.pingone.com/<<your-tenant-id>>/myapps/
- Authenticate with Keyless option on the logon screen will initiate passwordless authentication with Keyless

- Your enrolled mobile device will receive a notification to perfrom a biometric authentication

- On initial logon with Keyless PingOne performs account linking and you may have to enter your password


Last modified 3mo ago