Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
This guide details the steps required to configure Keyless as a passwordless authentication solution for your ForgeRock instance.
Loading...
Loading...
Loading...
The following two sections cover Keyless integration to Two PingIdentity solutions: PingOne Cloud SSO & Ping Federate
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Keyless can be integrated into any IAM solution to enable biometric authentication. Most implementations consist of three components:
Keyless Middleware
Keyless Authenticator App
Keyless OIDC/SAML2 Connectors
In some cases, a direct integration can also be carried out using the middleware REST API.
The Keyless middleware binds Keyless identities to your IAM users, and is responsible for sending push notifications to the authenticator app.
To authenticate with Keyless, a user must first enroll their biometric template. To do so, Keyless provides an enrollment service, which must be protected by the customer IAM for security purposes.
Once a user has enrolled successfully, Keyless can be used as an Identity Provider for the customer IAM and therefore as a means of authentication.
To start an OIDC/SAML integration, select your identity provider from the list below
This guide details the steps required to configure Keyless as a passwordless authentication solution for your Okta cloud instance.
This guide provides a step-by-step process to configuring Keyless as both an OpenID Connect service provider, and a OpenID Connect identity provider for Okta.
The OpenID Connect allows users to authenticate with Okta into the Account Linking page.
The OpenID Connect allows enrolled users to authenticate with Keyless to get access to their Okta portal and Okta enabled apps.
The OpenID Connect SP configuration is configured to allow users to authenticate with Okta into the Account Linking page.
Prerequisites
Login and Logout redirect URIs provided to you by Keyless.
Log into your Okta administration portal.
Go to "Applications" on the top menu and click "Applications"
Click "Add Application"
Click "Create New App"
Select 'Web' as the platform and "OpenID Connect" as the Sign on method then click the "Create" button.
Name the app "Keyless Account Linking". You can also optionally provide an App logo here, which will display as an icon in the user's portal.
Add the login and logout redirect URI that were provided to you by Keyless.
On the new application page, click on the "Edit" button and change the allowed grant types by selecting Implicit (Hybrid) -> Allow ID Token with implicit grant type and Allow Access Token with implicit grant type.
On the Assignments tab in that same page, click on the Assign button -> Assign to Group. Here you can choose which group of users will access the application. In this case we will choose “Everyone”, which will let every user of the org use the Keyless account linking application.
Back on the General tab, on the bottom of the page, take note of the Client Id and of the Client Secret that Okta provided to you, and send them to Keyless through a secure channel.
A few things you should know before starting the deployment.
As part of your onboarding with Keyless, you should have received the items below. If you don't have one or more of the items, please reach out to your primary Keyless contact or to info@keyless.io.
Client ID
Identification parameter
Client Secret
Identification secret
Well-known URL
The well-known page is a public URL where public information can be gathered, such as Issuer and Endpoints
Login URL
The URL to use for Login
Logout URL
The URL to use for Logout
Certificate
Security Certificate to authenticate the backend
Mobile device for each employee
Whether it’s company’s property or employee-owned, a mobile device per person with internet connection is needed for the optimal password-less MFA experience. Currently iOS 13.4 or higher, on iPhone 6 or newer, and Android 7.0 or higher are supported.
Keyless app installed for each employee
Employees will use the Keyless mobile app for authenticating. It’s available in the App Store and Google Play Store.
Integrating Keyless with Active Directory Federation Services
This integration provides a Keyless multi-factor authentication prompt to web-based logins through an AD FS Identity Provider and/or Web Application Proxy. After completing primary authentication to the AD FS server , your users will be required to complete a Keyless challenge before getting redirected back to the relying party.
The OpenID Connect IdP configuration allows enrolled users to authenticate with Keyless to get access to their Okta portal or Okta enabled apps.
In your Admin dashboard, go to "Security" on the top menu and click "Identity Providers":
Click "Add Identity Provider" and select "Add OpenID Connect IdP"
Configure the following settings:
General Settings
Name
"Keyless"
Client ID
an ID of your choice, which will need to be provided to Keyless
Client Secret
an ID of your choice, which will need to be provided to Keyless
Scopes
email, openid, profile
Endpoints, supplied to you by Keyless.
Issuer
issuer
Authentication Endpoint
authorization_endpoint
Token Endpoint
token_endpoint
JWKS Endpoint
jwks-uri
User Info Endpoint
userinfo_endpoint
Advanced Settings
IdP Username
idpuser.externalId
Match Against
Okta Username
Account Link Policy
Automatic
Auto-Link Restrictions
None
If no match is found
Create New User (JIT)
Profile Source
check
Group Assignments
None
If you don’t want to assign through JIT (Just in Time) provisioning to a specific group, select the option “Redirect to sign-in page” under If no match found. This will block the use of the Keyless authentication as a profile master, letting Okta account system manage user’s subscription to the org.
Click Update Identity Provider. On the Identity providers page, expand its information view,and take note of the IdP ID and Redirect URI.
Provide Keyless with the following through a secure channel:
Client ID and Secret of Account Linking App.
Client ID and Secret of Identity Provider.
IdP number and redirect URI of the Identity Provider.
Under "Identity Providers" go to "Routing Rules" to configure which users and groups will have access to the Keyless Identity Provider and will use Keyless as their authentication method.
Make sure that the Keyless Account Linking application is configured to use the default Okta identity provider (as the first rule) so that users will be able to link their account properly.
Common issues and solutions for Keyless and AD FS integration.
Please confirm that you are able to reach https://<customer>-registration.keyless.technology/metadata/ from your network, where <customer> is the domain given to you by Keyless.
Select the customer>-registration.keyless.technology ‘Relying Party Trust’ in AD FS
Click on 'Edit Access Control Policy'
Select ‘Permit specific group'
Oopen PowerShell as administrator on your AD FS and enter this command:
On the AD FS ‘Home Realm Discovery’ screen, the browser on users’ devices may cache the list of login options. Clearing the cookies in the browser solves the problem.
A few things you should know before starting the deployment.
As part of your onboarding with Keyless, you should have performed the steps below. If you're missing one or more of these prerequisites, please reach out directly to support@keyless.io.
Provide the Keyless IT department with the domain name of your AD FS service.
Update the AD FS configuration to trust the domain names of the Keyless SAML connectors (SP & IdP) that Keyless provided you with.
Ensure that the firewall policy of your local network allow the following:
The AD FS service must be reachable by our SP and IdP.
For account linking, the user browser must be able to communicate with the SP and the AD FS instance.
For authentication, the user browser must be able to communicate with the IdP and the AD FS instance.
The EUD must be able to communicate with the Keyless Infrastructure.
Everything you need to know and do to help you deploy Keyless seamlessly in your organization
Keyless is committed to providing you with the best experience possible. We want to be sure you have what you need, whether that be guidance on how to use our product, or where to go for help. By deploying Keyless, you will take a big step toward safeguarding yourself and your organization from data theft and account takeover, while improving the user experience across the organization.
This guide is for Admins, IT managers and Help Desk staff who are supporting a Keyless deployment.
User Experience is at the forefront of Keyless products, and we understand that the experience of using Keyless can be new and confusing in certain environments, especially if people have grown accustomed to insecure passwords such as qwerty, password, and 123456.
Rolling out passwordless MFA to your company can produce questions from your end-users. This document is designed to provide you with quick answers to issues experienced by users and a structure for diagnosing and supporting their passwordless journey.
Help desk and IT staff are an important component of any Keyless deployment. Education and awareness are key factors in ensuring their success and ultimately your success in deploying Keyless. Use these resources to train your team in supporting Keyless users throughout the deployment.
Prepare your internal workforce ahead of the Keyless deployment
Mobile device for each employee
Whether it’s company’s property or employee-owned, a mobile device per person with internet connection is needed for the optimal password-less MFA experience. Currently iOS 13.4 or higher, on iPhone 6 or newer, and Android 7.0 or higher are supported.
Keyless app installed for each employee
Employees will use the Keyless mobile app for authenticating. It’s available in the App Store and Google Play Store.
This guide details the steps required to configure Keyless as a passwordless authentication solution for your Auth0 cloud instance.
Keyless and Auth0 have partnered to deliver true passwordless authentication for the workforce and for consumers.
This document provides a step-by-step introduction for configuring Auth0 to work with Keyless. In this guide Keyless will be set up as both an OpenID Connect service provider and a OpenID Connect identity provider for Auth0.
To use Auth0 to authenticate, configure Keyless as a trusted IdP on Auth0.
Before proceeding, make sure you have the following information from Keyless:
Login Icon
Can be used as the logon Icon for Keyless authentication on Auth0 Login page
https://your-keyless-tenant/static/keyless.svg
Discovery URL
OIDC Discovery endpoint provided by Keyless
https://your-keyless-tenant/.well-known/openid-configuration
Client ID
OIDC Client ID specific to you organization provided by Keyless
-
Client Secret
OIDC Client secret provided by Keyless
-
The steps are as follows
Create a new Enterprise Connection (IdP): Go to Authentication →Enterprise → OpenID Connect Click on (+) Icon
Provide a name for the Connection
Fill in OIDC Discovery URL in Issuer Field
Fill in ClientID provided by Keyless
Make a note of the callback URL that need to be sent to Keyless
Click Save
Once Saved go to Settings and General tab do the following
Select Back Channel as Type
Fill in client Secret field
Click Save Changes
Click on the ellipses (...) icon on the Connection just saved, Click Try Now. This will initiate a Keyless authentication
On successful authentication you’ll see the connection data
To enrol users you need to configure a client application on Auth0.
Before proceeding, make sure you have the following information from Keyless:
Login URL
OIDC Client configuration provided by Keyless
https://<your-enrollment-server>/signin-oidc
Redirect URI
OIDC redirect URO provuded by Keyless
https://<your-enrollment-server>/signin-oidc
Logout URL
OIDC logout URL provided by Keyless
https://<your-enrollment-server>/signout/callback
Keyless Enrollment URL
URL to Keyless Enrollment page for end users: provided by Keyless
https://<your-enrollment-server>/
Create Application: Applications --> Create Application --> Regular Web Applications
On Settings tab of the Application you just created
Make note of the following items that need to be sent back to Keyless
Domain
Client ID
Client Secret
Fill in the following information provided by Keyless
Allowed Callback URL which is the Login URL (in the table above)
Allowed Logout URL which is the Logout URL provided
Allowed web origins which is the Redirect URI provided
Make sure to send the following information back to Keyless to complete the configuration:
Domain
Client ID
Client Secret
The following guide explains how to successfully connect Keyless to your AWS Cognito User Pool, so that you will be able to let your users login to your web app through Biometric Authentication
To enable Keyless authentication, log in to your AWS Cognito dashboard and follow these steps:
Click on Federation > Identity Providers
Click on OpenID Connect
Insert ClientID, Client Secret and Issuer provided to you by Keyless, and configure the rest as shown in the following picture:
Click on Run discovery to make sure the IdP can be reached successfully
To let your users enroll on Keyless through AWS Cognito, follow these steps:
Click on General Settings > App Clients
Click on Add another app client
Choose an app name (typically keyless_registration) and make sure Generate client secret is checked. Leave the default values for the rest.
Send Client ID and Client Secret to Keyless
Your configuration should look like the following image:
Click on App integration > App client settings
Insert Callback URL(s) and Sign out URL(s) provided to you by Keyless
Configure the rest as shown in the following image:
Configure Keyless as an MFA method for your AD FS connected applications.
This guide details the steps required to configure Keyless to be used as the authentications method for your AD FS instance.
Make sure you have completed Integrating Keyless with Active Directory Federation Services before moving on to this guide.
This guide assumes that you have experience installing and configuring Windows Server 2016 or 2019, Active Directory, and Active Directory Federation Services (AD FS) 2016 or 2019.
For more information on installing AD FS, please see the AD FS 2016 Deployment Guide.
Log in to your AD FS Management portal from your Server Manager by clicking "Tools" from the top navigation bar and selecting "AD FS Management
Once you are in the AD FS Management Portal, right click on “Relying Party Trust” and select “Add Relying Party Trust…” from the right-pane menu, as shown in the image below.
This will open a 4-step wizard. In the first step of the wizard, select the default value of “Claims Aware” and click “Start”.
In the following screen, import data about the claims provider published online. Enter your metadata URL which was provided during the provisioning of your account. For this example we are using https://<acme-idp>.keyless.technology/metadata/ where <acme-idp> represents the handle used to identify your instance.
Optionally, change the Display name for the claims provider, and add a note. This is a friendly name that will be displayed to administrators in the AD FS console and to end users. Click “Next” once done.
Review the parameters configured
After completing Step 1 above, you should be able to see the new Claims Provider Trust you’ve just created under the “Claims Provider Trust” folder in your AD FS Management Portal.
Right-click on the Claims Provider Trust you’ve just added, and select “Edit Claim Rules” from the menu.
In this step you will define the rules that will transform the claims sent to the AD FS from Keyless.
Define three rules by clicking “Add Rule” in the bottom part of the dialog:
Rule 1: Pass through Name ID as Windows account name
Rule Template: Transform an incoming claim
Claim rule name: “Pass through Name ID as Windows account name"
Incoming claim type: Name ID
Incoming name ID format: Unspecified
Outgoing claim type: Windows account name
Select the "Pass through all claim values" bullet button.
Rule 2: Pass through Name ID as UPN
Rule Template: Transform an incoming claim
Claim rule name: “Pass through Name ID as UPN"
Incoming claim type: Name ID
Incoming name ID format: Unspecified
Outgoing claim type: UPN
Select the "Pass through all claim values" bullet button.
Rule 3: Set Group Keyless
Rule Template: Send Claims Using a Custom Rule
Claim rule name: “Set Group Keyless"
Custom rule:
c:[]
=> issue(Type = "http://schemas.xmlsoap.org/claims/Group", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = "keyless", ValueType = c.ValueType);
Click "Apply" and "OK" to save your changes.
open PowerShell as administrator on your AD FS and enter this command (after replacing <keyless-registration-domain> with the domain provided to you by Keyless):
Congratulations, you can now use Keyless to authenticate to your AD FS connected applications!** 😎
This verification requires that there is at least one user already enrolled with Keyless and that can be used for this test.
Go to https://<your-adsf-domain>/adfs/ls/idpinitiatedsignon.htm and select the "Sign in to this site" option.
Click on the identity provider associated with Keyless IdP:
Provide the username (UPN format) of the test user and click the 'Continue' button.
At this point, the user should receive a push notification to the Keyless Authenticator app on their mobile phone. Once authenticated on the phone, the user should be logged in.
Keyless is building a privacy-first biometric authentication platform that eliminates the need for businesses to centrally store and manage passwords, sensitive cryptographic keys, and other authentication data, without compromising on convenience or privacy for their users.
Keyless integrates with a wide variety of systems, and leverages standard protocols like SAML and OpenID Connect to add security-enhancing and privacy-preserving passwordless authentication to your existing systems.
To integrate biometric authentication into your systems, follow the steps below:
Step 1: Gather the prerequisites.
Step 2: Configure the integration with your system:
Step 3: Roll out biometric authentication across your organization.
Integrating Keyless with Active Directory Federation Services
This guide details the steps required to configure Keyless for your AD FS instance.
This guide assumes that you have experience installing and configuring Windows Server 2016 or 2019, Active Directory, and Active Directory Federation Services (AD FS) 2016 or 2019. For more information on installing AD FS, please see the AD FS 2016 Deployment Guide
Log in to your AD FS Management portal from your Server Manager by clicking "Tools" from the top navigation bar and selecting "AD FS Management
Once you are in the AD FS Management Portal, right click on “Relying Party Trust” and select “Add Relying Party Trust…” from the right-pane menu, as shown in the image below.
This will open a 5-step wizard. In the first step of the wizard, select the default value of “Claims Aware” and click “Start”.
In the following screen, import data about the relying party published online. Enter your metadata URL which was provided during the provisioning of your account. For this example we are using https://contoso-poc-registration.keyless.technology/metadata/ where <contoso-poc> represents the handle used to identify your instance.
After inserting the URL, click “Next”.
You may now optionally change the Display name for the relying party, and add an optional note. This is a friendly name that will be displayed to administrators in the AD FS console and to end users. Click “Next” once done.
In the next step, you will be required to define the access control policy, this will configure which user and groups will be able to register and use Keyless. After selecting the proper users and groups, click “Next”.
Define the Keyless access policy for your organization.
Review the parameters configured and click "Next" when ready.
In the last step, leave the checkbox checked. When done, click “Close” and finish the process of adding the Relying Party Trust.
After completing Step 1 above, you should be able to see the new relying party trust you’ve just created under the “Relying Party Trusts” folder in your AD FS Management Portal.
Right-click on the relying party trust you’ve just added, and select “Edit Claim Issuance Policy” from the menu.
In this step you will define the rules that will transform the claims sent to the Keyless relying party.
Add Rule 1: Send UPN as Email Address, in the bottom part of the dialog:
Rule Type: “Send LDAP Attributes as Claims”
Rule Name: “Send UPN as email address”
LDAP Attribute: User-Principal-Name
Outgoing Attribute: E-mail Address
After clicking "Finish" you should see the following rule:
Add Rule 2: Send UPN as NameID, in the bottom part of the dialog:
Rule Type: “Send LDAP Attributes as Claims”
Rule Name: “Send UPN as NameID”
LDAP Attribute: User-Principal-Name
Outgoing Attribute: Name ID
Define the mapping between the UPN and the Name ID
After adding these two rules, you should see the following list of rules in the “Issuance Transform Rules” dialog.
Click "Apply" and "OK" to save your changes.
Congratulations, you have successfully integrated Keyless with your AD FS instance! 😎
Optionally, configure Keyless as an MFA method for your AD FS connected applications.
The following guide takes you through the process of enabling passwordless biometric authentication on Forgerock Identity Cloud to provide enhanced passwordless authentication experience to users
Keyless and Forgerock have partnered to deliver true passwordless authentication for the workforce and for consumers.
This document provides a step-by-step introduction for configuring Forgerock to work with Keyless. In this guide Keyless will be set up as both an OpenID Connect service provider and a OpenID Connect identity provider (Social Identity Provider) for Forgerock Identity Cloud.
All configuration will be performed on Forgerock Identity Cloud Platform Admin Console.
Log on to Forgerock Identity Cloud Platform Admin console for your tenant:
From Platform Admin Console Dashboard select the realm we will be doing this configuration for, and navigate to Native Consoles -> Access Management
From Dashboard click on Services tile and click on Social Identity Provider Service Link
Click on Secondary Configurations tab and click on Add a Secondary Configuration dropdown select OIDC Provider
Select a name for out IdP client configuration: the table below provides a list on configuration items that need to be filled in
ensure that we click the Save button to save our IdP configuration and click enabled toggle button on top to have our IdP configuration active/enabled
Following is a sample normalization script (groovy) for our Keyless Social IdP
Next we'll need to configure an authentication Tree to enable our Social authentication: from realm dashboard select Authentication --> Trees --> Create Tree and provide a name: e.g. KeylessAuth
At this point you can access Forgerock Identity Cloud end user dashboard: you'll be prompted to authenticate with Keyless (as Keyless is the only authentication mechanism configured in this specific Auth tree as shown above)
Here's an alternative sample auth tree that provides options for both password based & Keyless (passwordless) authentication
For enrollment with Keyless we'll need to create a new Application on Forgerock Identity Cloud for Keyless OIDC Service provider.
From our realm dashboard select Applications --> OAuth 2.0 --> Clients --> Add Client
Fill in the information required as described below:
Client ID: Provide a client ID: e.g. KeylessEnrollmentClient,
Client Secret: generate a client secret
If ClientID & Secret is provided by Keyless (that is enrollment service has already been created for you by Keyless) we'll be using those to populate the parameters above.
If we are creating our own ClientID & Client Secret then, both ClientID & Secret need to be sent back to Keyless for configuration on the Keyless Enrollment service.
Redirection URIs: A list of redirection URIs for your Keyless tenant has been provided by Keyless
Scope & Default Scope enter the following: openid profile cn mail
Click Create button and continue
Click on Advanced tab and configure the following:
Grant Types select : Authorization_Code & Implicit
Token Endpoint AUthentication Method select: client_s__s_ecret_post_
Custom Properties type in the following: preferred_username=mail
Click on OIDC tab and configure the following
Client Session URI: this is provided by Keyless
Post Logout Redirect URI: this is provided by Keyless
Backchannel Logout URI: this is provided by Keyless
Post Logout Redirect URI: this is configured based on our realm name e.g. https://<\<forgerock-tenant>>/enduser/?realm=<\<realm-name>>#/dashboard
Click Save and that completes OIDC client configuration.
If we are creating our own ClientID & Client Secret then, both ClientID & Secret need to be sent back to Keyless for configuration on the Keyless Enrollment service
After completing the configuration steps above to configure Keyless OIDC SP/RP for enrollment we can now enrol for Keyless authentication
From a browser navigate to Keyless enrollment URL provided by Keyless
Authenticate using your credentials for Forgerock Identity Cloud
Browser will get redirected to Keyless enrollment page
Download Keyless authenticator app on your mobile device from AppStore or Google play
Scan the QR code displayed on Keyless enrolement page with your mobile device to complete Keyless enrollment
From a browser navigate to an application secured via Forgerock Identity Cloud SSO solution. For example Forgerock Identity Cloud end user dashboard: https://>/am/XUI/?realm=/<>\&authIndexType=service\&authIndexValue=<>#/
Click on Continue with Keyless button
Provide your email enrolled with Keyless already
You'll receive a notification on you mobile device to complete biometic authentication using Keyless
Enable Keyless passwordless biometric authentication to Salesforce.
Keyless passwordless biometric authentication can address any MFA requirement to authenticate to Salesforce Portal.
This guide provides a step-by-step introduction to configure Salesforce Portal to authenticate using Keyless passwordless biometric authentication. In this guide Keyless will be set up as an authentication provider to Salesforce at a high assurance level to address any MFA requirements. Also we'll configure Keyless enrollment features to provide the ability for Salesforce users to register and or enrol for Keyless authentication.
To enable authentication into Salesforce via Keyless, you need to add Keyless as an authentication provider in Salesforce.
As part of the onboarding process you’ll receive the following pieces of information from Keyless to complete an authentication provider configuration in Salesforce:
All configuration steps outlined below need to be performed on Salesforce portal with administrative privileges.
Create an OIDC Auth Provider
Identity → Auth Providers → New
Select Open Id Connect as provider type
Populate the configuration parameters from the information provided by Keyless team to complete Auth provider configuration as shown below
Make a note of the URLs under Salesforce Configuration section
Callback URL: Need to be provided to Keyless team to complete authentication provider configuration on Keyless end
Existing User Linking URL: Use this URL to link existing Salesforce users to their respective Keyless account
Following is a sample Registration handler code
Update Domain Configuration to Enable Keyless Authentication Option on Logon Page
Company Settings → My Domain
Edit Authentication Configuration
Enable Keyless
Configure Keyless as High Assurance authentication mechanism
Send the Callback URL to the Keyless team to complete authentication.
Keyless authentication is now enabled.
To enable enrollment of Salesforce users with Keyless we’ll need to configure Salesforce as an OIDC Identity Provider and Keyless as OIDC Relying Party/ Service Provider.
Make sure you have the following information from Keyless before proceeding with the configuration:
We’ll configure SFDC as a OIDC IdP and Keyless as OIDC RP
On Salesforce go to Settings → Identity → Identity Provider and enable Identity Provider and save. Make a note of the Issuer URL, you'll need to send it to Keyless to configure the Keyless enrollment server.
Click on Service Provider link at the bottom to create a Connected App/ Service Provider
Check Enable OAuth Settings to configure OAuth/OIDC parameters
Enter the callback URLs of Keyless Enrollment Server (these are Login/Redirect URL, Post Logout Redirect URL & Keyless Enrollment URL as described in the table at the beginning of this section)
Click Save. Make a note of the Client ID & Client Secret for Keyless OIDC RP, you'll need to send it to Keyless to configure the Keyless enrollment server.
Click New to add a Custom Attribute
This completes configuration on Salesforce end the following table is a summary of the 3-pieces of information that Keyless team will need to complete configuration of Keyless Enrollment service:
Once we have completed the steps above, we are now in a position to step though the entire process of enrolling a user to Keyless and then continue with Keyless authentication going forward.
Create a new Salesforce user from SFDC dashboard (e.g. demouser@myorg-demo.com)
Enrol the newly created user to Keyless (if this account is not enrolled already)
From a web browser go to Keyless Enrol Site: https://<your-keylelss-registration-URL> (provided by Keyless team)
Authenticate to SFDC Portal with Userid/Password (following redirect from Keyless Enrollment page)
Click on Enrol link & Scan the QR Code using Keyless Authenticator App on you mobile device
Complete the registration process on your mobile device as guided by Keyless Authenticator App
Registered account will appear on Keyless Authenticator App on the mobile device
Log out from Salesforce browser session and this completes Keyless enrollment
Link Salesforce User to their registered Keyless account
Log on to SFDC with account linking URL
Account Linking URL can be found on Salesforce Setup -> Auth Provider -> Salesforce Configuration section, which will look like the following: https://<your-salesforce-tenant>.my.salesforce.com/services/auth/link/keyless
Authenticate with Keyless via Keyless Authenticator App on your mobile device
After a successful authentication with Keyless Salesforce portal will prompt you to Sign In with userID and password to link an SFDC user to the authenticated Keyless account. That completes the account linking between SFDC and Keyless account
From a browser access your Salesforce portal: https://<your-salesforce-tenant>.my.salesforce.com
Log on to SFDC via Keyless: Click on SignIn with Keyless button as opposed to providing uid/password
Authenticate via Keyless Mobile Authenticator. That completes keyless authentication to SFDC
The following guide takes you thorough the process of enabling passwordless biometric authentication on PingOne SSO to provide enhanced password less authentication experience to applications
Log in to PingOne Admin console for your environment.
Create an External Identity Provider
Select the Custom option to create an OpenID Connect IdP
Fill in IdP profile details
Provide OIDC Connection details
Client ID: Provided by Keyless Account team
Client Secret:
OIDC Discover Document URI: Provided by
Click on Use Discovery Document link to populate OIDC endpoints
Fill in OIDC scopes: openid profile email
Make a note of the callback URL generated by PingOne: This will be required by Keyless Account team
Provide OIDC attribute mapping between PingOne & Keyless IdP. Note that Keyless IDP will return username in preferred_username attribute on the incoming claim
Enable External IdP just created
Summary of Configuration on Keyless IdP
Update Authentication Policy to include Keyless External IdP
Under Experiences-> Authentication Policies -> Single Factor Add Keyless External IDP as a IdP to be presented on Login
Send the call back URL to the Keyless team.
This completes configuration of Keyless as External Identity Provider
For enrollment with keyless we'll need to create a new Application on PingOne for Keyless OIDC Service provider.
Create an OIDC application of type Web App
.png)
Select OIDC and click on Configure link/button to continue to OIDC configuration
Provide a name, optionally a description and an icon that can be uploaded
Enter OIDC redirect URL provided by Keyless
Configure OIDC scopes: openid, profile & email
Configure Attribute mapping: preferred_username is the outbound attribute that would be populated with users email address as below:
On completion OIDC application configuration would look like the following, relevant items highlighted below can be edited and saved here
This completes the OIDC Service Provider/ Keyless Enrollment end of configuration.
From a web browser navigate to the enrollment URL provided by Keyless account team. Browser will follow redirect an take you to PingOne Logon page where you'll need to authenticate with PingOne credentials:
On successful authentication browser gets redirected to Keyless enrollment site where you can enroll your mobile device by scanning the QR code displayed on screen
From a web browser navigate to an application secured using PingOne SSO solution such as: https://apps.pingone.com/<your-tenant-id>/myapps/
Authenticate with Keyless option on the logon screen will initiate passwordless authentication with Keyless
Your enrolled mobile device will receive a notification to perform a biometric authentication
On initial logon with Keyless PingOne performs account linking and you may have to enter your password
Best practices for rolling Keyless to your organization after you've completed the initial integration.
This document provides a step-by-step introduction for configuring OneLogin to work with Keyless. In this guide Keyless will be set up as both an OpenID Connect service provider and a OpenID Connect identity provider for OneLogin
In order to enable your users to authenticate into OneLogin dashboard via Keyless you’ll need to configure Keyless as a trusted IdP on OneLogin.
As part of the onboarding process you’ll receive the following pieces of information from keyless to complete a Trusted IdP configuration.
The steps are as follows
Create a new Trusted IDP: Go to Authentication → Trusted IdPs → New Trust
Provide a name for the Trusted IdP configuration e.g. Keyless
Check Enable Trusted IDP
Check Show In Logon Panel, this will require you to choose an icon (default Keyless icon provided in onboarding package)
Fill in issuer URI
Check the following options:
Sign users into OneLogin
Sign users into additional applications
Send Subject Name ID or Login Hint in Auth Request
On User attribute section:
Fill in {tidp.preferred_username}
Select Email in User Attribute Mapping
Select OIDC as authentication protocol type and fill in the following fields in OIDC Configuration section (OIDC endpoint URIs, Client ID & Secret valued are provided in Keyless onboarding package)
Authentication Endpoint
Select POST as Token Endpoint Authentication Method
Token Endpoint
User Information Endpoint
In Scopes field type in: openid email profile
On Client Id & Client Secret fields fill in the values provided by Keyless
Click Save and that would complete our configuration
To enable enrollment of your users to Keyless we’ll need to configure a client application on OneLogin. Parameters required to create the application on OneLogin are provided in your Keyless onboarding package.
The following information is provided in your onboarding package to configure OneLogin Application:
Go to Applications → Add App
Search OIDC on Find Applications and select OpenId Connect (OIDC)
On Configuration screen provide a display name and uncheck Visible in portal and click Save
Under Configuration tab provide the following parameters provided by Keyless:
Login Url
Redirect URIs (a single URI)
Post Logout URIs (a single URI)
Under SSO tab make note of the following 3-pieces of information that need to be sent back to Keyless for configuration on the Keyless end
Client ID
Client Secret
Issuer URL
Make sure that Application Type is Web
Token Endpoint section Authentication Method is POST
Additionally on Users tab select the relevant Users/Groups to enable these users/groups to be enabled to get enrolled on to Keyless
Click Save to complete the configuration. Your users now can use the Keyless enrollment URL provided to enrol their devices with Keyless
Remember to send the following information back to Keyless to complete the configuration:
Client ID
Client Secret
Issuer URL
Use these email templates to inform your team that you're rolling out Keyless.
To be sent 1-2 weeks before rollout.
Subject:
Keyless Passwordless Authentication is coming!
Content:
Dear [name] The IT team is notifying you that your login experience will soon improve. Keyless is being deployed to make your login experience faster, safer, and easier.
Why are things changing? The modern day employee wastes on average 24 hours per year logging into systems and apps. With Keyless, you no longer have to worry about passwords, writing them down, resetting them, or the time it takes to type them in. Keyless protects you against phishing, credential reuse, and account takeover by taking passwords out of the equation.
Starting [month, day] you will use your mobile device with the Keyless mobile app installed to login to your SSO. Say goodbye to your security hardware token or typing of usernames, passwords or codes at every login.
is the leading provider of best in class privacy-preserving passwordless authentication. Keyless lets you log into your desktop, mobile and web applications with your mobile device. Your personal data can never be accessed by anyone, except yourself. More information is coming soon!
To be sent on the week of the rollout.
Subject:
Keyless Authentication is here!
Content:
In a couple of days we will be rolling out Keyless the new authentication solution which will remove your need to use passwords. Keyless will make your login experience faster, safer and easier.
Starting [month, day] you will use your mobile device with the Keyless mobile app installed to approve every login to your SSO.
Enroll by downloading the Keyless Authenticator from the or the and by following the in-app steps and the .
Any questions, please reach out to the support team at
{insert email alias}.
This message should be sent on the enrollment date.
Subject:
Keyless is Live!
Content:
Today you will enroll in Keyless, the new passwordless authentication solution! Keyless will make your login experience faster, safer and easier. Follow the below steps to begin:
Step 1: If you haven't done so yet, please download the Keyless application. Search for “Keyless” on the iOS App Store or in your Google Play Store to install the app.
This guide details the steps required to configure Keyless as a passwordless authentication solution for your ForgeRock instance.
This integration relies on the ForgeRock OIDC Node which is available in AM6.0 or greater.
Make sure you have the following information, provided to you during your onboarding with Keyless.
OpenID Connect Client ID
OpenID Connect Secret
OpenID Discovery URL
Create or modify a tree to use the OpenID Connect Node
Enter the following values for each configuration option in the OpenID Connect Node
Open a private window in your browser.
Navigate to the login page of the realm that Keyless is configured for.
Enter your username and authenticate with Keyless on your mobile device (make sure to use a user that is enrolled to Keyless)
You should now be logged into the ForgeRock portal.
Make sure you have a compatible mobile (android/iOS) device with Keyless Authenticator App installed. See the .
Step 2:
Use the following link {insert link} to link your account and complete the enrollment using the app.
Congrats, you are now enrolled in Keyless. To learn how to use Keyless, please refer to this .
Any questions, please reach out to the support team at {insert email alias}.
Name
Select a naem from Social IdP configuration
Keyless
Auth ID Key
OIDC claim that identifies the user
sub
Client ID
OIDC Client ID: Provided by Keyless
-
Client Secret
OIDC Client Secret: Provided by keyless
-
Well Known Endpoint
OIDC discovery URL: provided by Keyless
https://\<my-keyless-tenant-fqdn>/.well-known/openid-configuration
Issuer
OIDC Issuer URL: provided by Keyless
https://\<my-keyless-tenant-fqdn>
Client Authentication Method
Authentication method for OIDC Client
CLIENT_SECRET_POST
PKCE Method
OIDC PKCE coonfiguration
S256
Response Mode
OIDC Response mode
form_post
Oauth Scopes
OIDC/OAuth scope parameter
openid profile email
Scope Delimiter
Scope delimiter
<\<single-space-character>>
OIDC Endpoints
Authorization, token, userinfo, JWKS endpoints: these are all provided by Keyless, also can be retrieved from the OIDC Discovery URL provided.
https://\<my-keyless-tenant>/connect/authorize
Redirect URL
OIDC redirect from Keyless IDP on completion of authentication. This will depend on our realm and the name of our Social IdP we chose at the very top of this table
https://<\<my-forgerock-tennant>>/am/oauth2/realms/root/realms/<\<my-realm-name>>/client/form_post/<\<Social-IDP-Name>>_
UI Config Properties
Add a property: buttonDisplayName
Keyless
Add a property:
(URL for the value is provided by Keyless)
buttonImage
https://\<my-keyless-tenant>/static.keyless.svg
Transform Script
Script to transform/normalize the incoming cliams from Keyless IDP
We'll provide a sample script, to do just that, for initial configuration we can choose an existing script from the dropdown list of canned scripts.
Login /Redirect URL
OIDC RP Configuration
https://<your-keyless-enrollment-server>/signin-oidc
Post Logout Redirect URL
OIDC RP Configuration
https://<your-enrollment-server>/signout/callback
Keyless enrollment URL
Keyless enrollment server
https://<your-keyless-enrollment-server>
Issuer URL
OIDC IdP
https://<your-salesforce-tenant>.my.salesforce.com
Consumer Key
OIDC Client ID
-
Consumer Secret
OIDC Client Secret
-
Notifying employees and providing clarity around the deployment.
Get your IT or Support teams ready
Login URL
OIDC Client configuration
https://<your-enrollment-server>/signin-oidc
Redirect URI
OIDC redirect URI
https://<your-enrollment-server>/signin-oidc
Post Logout Redirect URI
OIDC Logout URI
https://<your-enrollment-server>/signout/callback
Keyless Enrollment URL
URL to Keyless Enrollment page for end users
https://<your-enrollment-server>
Authentication Endpoint URL
To be found in the provided Discovery URL
Access Token Endpoint URL
To be found in the provided Discovery URL
User Profile Service URL
To be found in the provided Discovery URL
OAuth Scope
openid email profile
Redirect URL
Depends on your deployment configuration, typically: https://your-fr-host-domain/openam/?realm=THE_REALM&service=THE_TREE
Social Provider
Keyless
Auth ID Key
sub
Use Basic Auth
enabled
Account Provider
org.forgerock.openam.authentication.modules.common.mapping.DefaultAccountProvider
Account Mapper
org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper
Account Mapper Configuration
email to uid
Save Attributes in the Session
enabled
Token Issuer
To be found in the provided Discovery URL
OpenID Connect Validation Type
JWK URL
OpenID Connect Validation Value
To be found in the provided Discovery URL
Integration with IAM systems is typically done over SAML or OIDC federation.
Some terms you may encounter in this documentation, among your internal IT team, or from end users
The process of adding an account to the Keyless Authenticator application. In a quick, 30 second process, the end user can add an account by scanning a QR code and authentication using the Keyless Authenticator application.
The process of using the Keyless Authenticator application to gain access to certain applications, service or workstation.
The act of removing a Keyless account associated to a specific users.
The web or workstation service which an administration uses to generate policies and access for users of a specific service.
A user’s authentication device type (iPhone, Android, etc).
This is an out-of-band authentication request that is sent to the Keyless Authenticator App on an enrolled device
The Keyless team is available to assist with any request through our help service portal available online. There, you will be able to view existing requests submitted for your organization and can request new tickets.
For direct support from Keyless, visit the Keyless Support Center.
Level 3 Support has the ability to contact Keyless Support directly to raise issues that have no clear resolution. Keyless support will work with your teams to reach rapid resolution.
Use the description text that best matches the scenario. An example of a request containing information which will reduce the time to resolution may include:
Phone Model: IPhone 8
Phone OS: iOS 13.2.2
Time of Issue: I experience the issue as early as 4:30 am EST to trying after hours as late 9:30 p.m. EST
Place of Issue: Office
Relevant Log Files/Screenshots: as attachments
Issue: User Is unable to unlock their workstation using Keyless
Steps taken when issue is experienced:
Step 1 ....
Step 2...
Step 3...
The Keyless Authenticator application contains an easy to use menu to enable the user to provide help desk teams with information about the user's associated software and devices.
Encouraging users to upgrade to the latest version of the Keyless Authenticator application and the latest available operating system may improve application performance and reduce the risk of bugs while improving the security of the user experience.
To guide a user in how to submit mobile information to your organization, ask the user to select the Settings menu, or gear in the top right corner of the main screen of their mobile app. From here, have the user select “Contact Support” and the user’s email service will appear with the contents of the message.
If the user receives an error message and their email service does not appear, this indicates the user’s email client is not currently configured. Inform the user and ask them if they would be interested in setting up their email client on their mobile device.
Enabling backups is highly recommended.
To enable the backup functionality, please make sure that the user has the most up to date Keyless App from the App Store or Google Play and follow the steps below:
Make sure that you have enough space on Google Drive to perform a backup (at least 1 Mb)
Open the Keyless app and click the gear icon in the top right corner to go to “Settings”
Check "Enable Backups" and wait a few seconds for the operation to be completed successfully.
Make sure that iCloud Drive is enabled on your device and you have enough space to perform the backup (at least 1 Mb):
Go to Settings - [Your Name] - iCloud - and make sure iCloud Drive is enabled.
Open the Keyless app and click the gear icon in the top right corner to go to “Settings”.
Check "Enable Backups" and wait a few seconds for the operation to be completed successfully.
Users must make sure they are using one of the supported web browsers. If the problem persists, users may need to clear their cache and cookies.
The user needs to make sure that the face
is fully visible in the preview on the screen.
is not covered by hair, a scarf, a hat, or a mask.
is adequately illuminated.
Make sure that there are no direct light sources on the device's internal camera as these light sources may compromise the enrollment process.
The user must ensure that they has entered their email correctly, and that the phone has internet connection.
The user must disable "Do not disturb" and "Do not disturb while driving" on the smartphone.
The user must verify that they have enabled notifications for Keyless Authenticator:
On Android devices
Long press on the Keyless Authenticator icon
Open the "App info" item in the menu
Open the "Notifications" item
Make sure that "Show notifications" is enabled
On iOS devices:
Open the Settings application
Open Notifications -> Keyless
Make sure "Allow Notifications" is enabled
Timeouts are a common foundation for security and a consistent source of hidden risk to an end user’s experience.
On Authentication: Most timeouts can be resolved by having the user repeat the action, such as authentication, and quickly proceeding to their next action – such as authenticating.
On Pairing: Timeouts equally serve to limit the exposure of a user’s active enrollment.
Users may experience timeouts during registration for several reasons:
A user has reached an active QR scan screen – and is downloading the mobile application and this has led to a timeout of the QR screen. Simply have the user have their app open with their scan QR camera ready and select try again on the workstation.
A user has reached the QR screen, and the QR screen has vanished – or timed out – while the user is in the middle of enrolling or registering an authenticator. The user is unfortunately taking too long to complete the pairing. Try and have the user do this again during a troubleshooting session and identify which part of the process is taking the user the most amount of time.
Login Icon URI
Can be used as an logon icon for Keyless authentication on logon page
https://<your-keyless-tenant>/static/keyless.svg
Token Issuer
OIDC Issuer
https://<your-keyless-tenant>
Token Endpoint URL
Token OIDC Endpoint URL
https://<your-keyless-tenant>/connect/token
Authorize Endpoint URL
OIDC Authorization Endpoint URL
https://<your-keyless-tenant>/connect/authorize
User Info Endpoint URL
OIDC User Info Endpoint URL
https://<your-keyless-tenant>/connect/userinfo
Scope
OIDC Scope
openid profile email
Consumer Key
OIDC Client ID
-
Consumer Secret
OIDC Client Secret
-
Login Icon URI
Can be used as the logon Icon for Keyless authentication on OneLogin Login page
https://<your-keyless-tenant>/static/keyless.svg
Issuer
OIDC issuer URI
https://<your-keyless-tenant>
Authentication Endpoint
OIDC authorization endpoint URI
https://<your-keyless-tenant>/connect/authorize
Token Endpoint
OIDC token endpoint URI
https://<your-keyless-tenant>/connect/token
User Information Endpoint
OIDC userinfo endpoint URI
https://<your-keyless-tenant>/connect/userinfo
Client Id
OIDC Client ID
52c95463e9da3d00c28071ab9
Client Secret
OIDC Client Secret
24060f8882fca7da11a6e2100fdf05334fd5c67f4f1111ce6c2f44d61720fc
Once a user is enrolled, authentication with Keyless is fast and secure. The user logs in to the relying party service using only their username. The user will then get a push notification to the Keyless Authenticator app asking them to authenticate by showing their face. Upon successful authentication, the user will be granted access to the relying part service.
Users will begin with the link provided in their enrollment email. Users will be asked to login with their corporate account credentials:
Once successfully signed in with their existing username and password, users can scan a QR code with their mobile authentication device using the Keyless Authenticator app:
If a user says that they cannot scan the QR code, ask them to verify that they have allowed the app access to the phone’s camera; otherwise they will not be able to scan the code. More information on this process is available in our Account Linking Guide
The user will then be prompted to authenticate by showing htheir face in the Keyless Authenticator application. If successfully authenticated, the following screen will appear. The user is now enrolled and their account is activated.
If an existing user tries to re-enroll, Keyless will notify them that they cannot re-enroll, before providing an option to unlink the previous account.
