Documentation Hub End User Guide Support

PingOne SSO

The following guide takes you thorough the process of enabling passwordless biometric authentication on PingOne SSO to provide enhanced password less authentication experience to applications

Following is a short video to demonstrate Keyless authentication experience to PingOne Enduser Portal.

In our next short video we'll go over the process of enrolling a PingOne user to Keyless

Our final short clip is to demonstrate the initial login with Keyless to PingOne where a linked account is created on PingOne. This is a one time only step: once the accounts are linked authentication process works as shown on our very first clip

Authentication: Configure External IdP

Logon to PingOne Admin console for your environment.

  • Create an External Identity Provider

  • Select the Custom option to create an OpenID Connect IdP

  • Fill in IdP profile details

  • Provide OIDC Connection details

    • Client ID: Provided by Keyless Account team

    • Client Secret:

    • OIDC Discover Document URI: Provided by

    • Click on Use Dicovery Document link to populate OIDC endpoints

    • Fill in OIDC scopes: openid profile email

    • Make a note of the callback URL generated by PingOne: This will be required by Keyless Account team

  • Provide OIDC attribute mapping between PingOne & Keyless IdP

    • Note that Keyless IDP will return username in preferred_username attribute on teh incoming claim

  • Enable Exernal IdP just created

  • Summary of Configuration on Keyless IdP

  • Update Authentication Policy to include Keyless External IdP

    • Under Experiences-> Authenticaiton Policies -> Single Factor Add Keyless External IDP as a IdP to be presented on Login

This completes configuration of Keyless as External Identity Provider

Keyless Enrolment: SP/RP Configuration

For enrolment with keyless we'll need to create a new Application on PingOne for Keyless OIDC Service provider.

  • Create an OIDC application of type Web App

  • Select OIDC and click on Configure link/button to continue to OIDC configuration

  • Provide a name, optionally a description and an icon that can be uploaded

  • Enter OIDC redirect URL provided by Keyless

  • Configure OIDC scopes: openid, profile & email

  • Configure Attribute mapping: preferred_username is the outbound attribute that would be populated with users email address as below:

  • On completion OIDC application configuration would look like the following, relevant items highlighted below can be edited and saved here

This completes the OIDC Service Provider/ Keyless Enrolment end of configuration.

Keyless Enrolment

From a webrowser navigate to the enrolment URL provided by Keyless account team. Browser will follow redirect an take you to PingOne Logon page where you'll need to authenticate with PingOne credentials:

  • On succesful authentication browser gets redirected to Keyless enrolment site where you can enroll your mobile device by scanning the QR code displayed on screen

Keyless Authentication

From a web briwser navigate to an application secured using PingOne SSO solution e.g. PingOne Application Portal URL: https://apps.pingone.com/<<your-tenant-id>>/myapps/

  • Authenticate with Keyless option on the logon screen will initiate passwordless authentication with Keyless

  • Your enrolled mobile device will receive a notification to perfrom a biometric authentication

  • On initial logon with Keyless PingOne performs account linking and you may have to enter your password

PreviousPing IdentityNextSalesforce

Last updated