PingOne SSO
The following guide takes you thorough the process of enabling passwordless biometric authentication on PingOne SSO to provide enhanced password less authentication experience to applications
Following is a short video to demonstrate Keyless authentication experience to PingOne Enduser Portal.
In our next short video we'll go over the process of enrolling a PingOne user to Keyless
Our final short clip is to demonstrate the initial login with Keyless to PingOne where a linked account is created on PingOne. This is a one time only step: once the accounts are linked authentication process works as shown on our very first clip
Authentication: Configure External IdP
Logon to PingOne Admin console for your environment.
Create an External Identity Provider
Select the Custom option to create an OpenID Connect IdP
Fill in IdP profile details
Provide OIDC Connection details
Client ID: Provided by Keyless Account team
Client Secret:
OIDC Discover Document URI: Provided by
Click on Use Dicovery Document link to populate OIDC endpoints
Fill in OIDC scopes: openid profile email
Make a note of the callback URL generated by PingOne: This will be required by Keyless Account team
Provide OIDC attribute mapping between PingOne & Keyless IdP
Note that Keyless IDP will return username in preferred_username attribute on teh incoming claim
Enable Exernal IdP just created
Summary of Configuration on Keyless IdP
Update Authentication Policy to include Keyless External IdP
Under Experiences-> Authenticaiton Policies -> Single Factor Add Keyless External IDP as a IdP to be presented on Login
This completes configuration of Keyless as External Identity Provider
Keyless Enrolment: SP/RP Configuration
For enrolment with keyless we'll need to create a new Application on PingOne for Keyless OIDC Service provider.
Create an OIDC application of type Web App
Select OIDC and click on Configure link/button to continue to OIDC configuration
Provide a name, optionally a description and an icon that can be uploaded
Enter OIDC redirect URL provided by Keyless
Configure OIDC scopes: openid, profile & email
Configure Attribute mapping: preferred_username is the outbound attribute that would be populated with users email address as below:
On completion OIDC application configuration would look like the following, relevant items highlighted below can be edited and saved here
This completes the OIDC Service Provider/ Keyless Enrolment end of configuration.
Keyless Enrolment
From a webrowser navigate to the enrolment URL provided by Keyless account team. Browser will follow redirect an take you to PingOne Logon page where you'll need to authenticate with PingOne credentials:
On succesful authentication browser gets redirected to Keyless enrolment site where you can enroll your mobile device by scanning the QR code displayed on screen
Keyless Authentication
From a web briwser navigate to an application secured using PingOne SSO solution e.g. PingOne Application Portal URL: https://apps.pingone.com/<<your-tenant-id>>/myapps/
Authenticate with Keyless option on the logon screen will initiate passwordless authentication with Keyless
Your enrolled mobile device will receive a notification to perfrom a biometric authentication
On initial logon with Keyless PingOne performs account linking and you may have to enter your password
Last updated