Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
This document will describe the required steps to integrate a Palo Alto Networks Firewall with a Keyless SAML Server.
Loading...
This document will describe the required steps to integrate an OpenVPN client with Keyless Radius Server.
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Coming Soon!
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Nothing to remember. Nothing to steal. You are the key.
Memorized secrets shared between user and platform, better known as passwords, are the biggest design flaw of the internet. Hackers have been figuring out ways to crack passwords since the sixties.
Today, cyber threats are growing increasingly sophisticated, yet the way we authenticate has not evolved. Instead of rethinking how to authenticate and identify users, cybersecurity has centered around bolstering the password so that it is less susceptible to security threats. Unfortunately, none of these solutions addresses the fundamental problem: so long as there is a “password”, there is something for hackers to guess or steal.
“Password fatigue” describes the overwhelming burden users experience when it comes to managing their accounts. With the average user having an estimated ninety separate accounts — mandatory password changes, and complex password requirements backfire — forcing users to choose weak passwords that they can easily remember.
One of the biggest security challenges with authentication over the decades has been how private credentials are managed. Generally, businesses and platforms store copies of our passwords, PINs and security questions, alongside our personal details. This practice of storing private information in centralized databases essentially creates “honeypots” of our personal data.
These entice hackers to execute large-scale cyber attacks and unfortunately, many attacks are successful, despite the best security efforts of the platform.
At Keyless, we use a combination of advanced cryptographic techniques to eliminate fraud, phishing and credential reuse — all while enhancing customer and employee experiences and protecting their privacy. Our biometric authentication solution offers multi-factor security across devices and platforms with just a look.
Keyless envisions a world where anyone can seamlessly access any digital service from any device, at any time, while keeping personal credentials safe, private and under control. Where the only key is you. A world that is Keyless.
The Keyless Authenticator app removes usernames and passwords from the authentication process, allowing users to login with their biometrics.
There is nothing to remember, nothing to type, nothing to lose or to forget. Nothing to remember, means nothing to phish - Keyless embeds strong anti-phishing technology to minimize the risk of fraud and user deception
A few things you should know before starting the deployment.
As part of your onboarding with Keyless, you should have received the items below. If you don't have one or more of the items, please reach out to your primary Keyless contact or to info@keyless.io.
Click here to get your credentials from our delivery team.
Again, if you are missing one or more of the items above, please reach out to your Keyless rep or to support@keyless.io.
Prerequisites
Mobile device for each employee Whether it’s company’s property or employee-owned, a mobile device per person with internet connection is needed for the optimal password-less MFA experience. Currently iOS 13.4 or higher, on iPhone 6 or newer, and Android 7.0 or higher are supported.
Keyless app installed for each employee Employees will use the Keyless mobile app for authenticating. It’s available in the App Store and Google Play Store. Downloading the app takes less than one minute.
Browser support Make sure your employees can use one of the support browsers. Keyless supports all common web browsers.
Learn about the architecture of the integration based on your preferred federation standards.
Click here to get your credentials from our delivery team.
The following document illustrates how the Keyless Workforce product can be integrated in any IAM to enable biometric authentication. This feature is comprised of mainly three components:
Keyless Middleware
Keyless Authenticator App
Keyless OIDC/SAML2 Connectors
In some cases, a direct integration can also be carried out using the middleware REST API.
The Keyless middleware serves the purpose of binding Keyless identities to the your IAM users. It is also responsible for sending push notifications to the authenticator app
In order to authenticate with Keyless, a user must first enroll his biometric template. To do so, Keyless provides an enrollment service, which must be protected by the customer IAM for security purposes.
Once a user has enrolled successfully, Keyless can be used as an Identity Provider for the customer IAM and therefore as a means of authentication for the final user.
To start integration, select your identity provider from the list below
Item | Purpose |
---|---|
Item | Purpose |
---|---|
Item | Description |
---|---|
We wish there was more to request, but these are really the only prerequisites we have for your employees.
Client ID
Identification parameter
Client Secret
Identification secret
Well-known URL
The well-known page is a public URL where public information can be gathered, such as Issuer and Endpoints
Login URL
The URL to use for Login
Logout URL
The URL to use for Logout
Certificate
Security Certificate to authenticate the backend
Docker Image
Available through Dockerfile, this Docker image contains the Radius connector.
Configuration Parameters
Parameters necessary to connect to Keyless: KL_DOMAIN, KL_TENANT, KL_AUTHORIZATION_HEADER.
Keyless Backend Server IP
If necessary, can be used to connect to the Keyless backend.
clients.conf configuration file
Contains username and password required to download the connector.
Startup script
This is a script that starts the connector.
Integration with IAM systems typically done over SAML or OIDC federation.
On-premise and VPN integrations typically leverage the RADIUS protocol.
Nothing to remember. Nothing to steal. You are the key.
Keyless is building a privacy-first biometric authentication platform that eliminates the need for businesses to centrally store and manage passwords, sensitive cryptographic keys, and other authentication data, without compromising on convenience and privacy for their users.
Keyless easily integrates with a wide variety of systems and leverages standard protocols like SAML, OpenID Connect, and RADIUS to make it simple to add security-enhancing and privacy-preserving passwordless authentication to your existing applications and workstations.
Using the Keyless Authenticator, you can easily get up and running with your integration. Checkout the User Guide to learn how to download and use the Authenticator from the Apple Store or the Google Play Store on your smartphone.
Here you'll find everything you need to deploy security-enhancing and privacy-preserving passwordless authentication to your workforce.
For more information on Keyless and our integrations, visit us at keyless.io or reach out directly to info@keyless.io
To get up and running swiftly, follow the steps below for a step-by-step quick start tutorial:
Step 1: Make sure you meet the prerequisites.
Step 2: Understand the Integration flows.
Step 4: Rollout to your organization.
Resources to help you learn about Keyless and the technology.
Resources to help you rollout Keyless to your organizations and employees in a frictionless manner.
Use these email templates to inform your team that you're rolling out Keyless.
To be sent 1-2 weeks before rollout.
Subject:
Keyless Passwordless Authentication is coming!
Content:
Dear [name] The IT team is notifying you that your login experience will soon improve. Keyless is being deployed to make your login experience faster, safer, and easier.
Why are things changing? The modern day employee wastes on average 24 hours per year logging into systems and apps. With Keyless, you no longer have to worry about passwords, writing them down, resetting them, or the time it takes to type them in. Keyless protects you against phishing, credential reuse, and account takeover by taking passwords out of the equation.
Starting [month, day] you will use your mobile device with the Keyless mobile app installed to login to your SSO. Say goodbye to your security hardware token or typing of usernames, passwords or codes at every login.
To be sent on the week of the rollout.
Subject:
Keyless Authentication is here!
Content:
In a couple of days we will be rolling out Keyless the new authentication solution which will remove your need to use passwords. Keyless will make your login experience faster, safer and easier.
Starting [month, day] you will use your mobile device with the Keyless mobile app installed to approve every login to your SSO.
Any questions, please reach out to the support team at {insert email alias}.
This message should be sent on the enrollment date.
Subject:
Keyless is Live!
Content:
Today you will enroll in Keyless, the new passwordless authentication solution! Keyless will make your login experience faster, safer and easier. Follow the below steps to begin:
Step 1: If you haven't done so yet, please download the Keyless application. Search for “Keyless” on the iOS App Store or in your Google Play Store to install the app.
is the leading provider of best in class privacy-preserving passwordless authentication. Keyless lets you log into your desktop, mobile and web applications with your mobile device. Your personal data can never be accessed by anyone, except yourself. More information is coming soon!
Enroll by downloading the Keyless Authenticator from the or the and by following the in-app steps and the .
Step 2: Use the following link {insert link} to link your account and complete the enrollment using the app. Congrats, you are now enrolled in Keyless. To learn how to use Keyless, please refer to this . Any questions, please reach out to the support team at {insert email alias}.
Learn what Keyless can do for your organization.
Understand how Keyless integrates via SAML, OIDC or RADIUS flows.
Ensure you have everything you need in order to get started.
In this use case, Keyless authentication is connected with a RADIUS server.
Keyless RADIUS Connector must be deployed in the customer infrastructure and it must be able to talk with the VPN server
Below picture shows a logical representation of this scenario with all the services that will be involved from a Keyless and a customer perspective:
To start integration, select your VPN provider from the list below
Everything you need to know and do to help you deploy Keyless seamlessly in your organization
Keyless is committed to providing you with the best experience possible. We want to be sure you have what you need, whether that be guidance on how to use our product, or where to go for help. By deploying Keyless, you will take a big step toward safeguarding yourself and your organization from data theft and account takeover, while improving the user experience across the organization.
Best practices for rolling Keyless to your organization after you've completed the initial integration.
Everything you need to know and do to help you deploy Keyless seamlessly in your organization.
A guide is for Admins, IT managers and Help Desk staff who are supporting a Keyless deployment.
Getting started and support guides for your user and employees
Prepare your internal workforce ahead of the Keyless deployment.
Prerequisites
Mobile device for each employee Whether it’s company’s property or employee-owned, a mobile device per person with internet connection is needed for the optimal password-less MFA experience. Currently iOS 13.4 or higher, on iPhone 6 or newer, and Android 7.0 or higher are supported.
Keyless app installed for each employee Employees will use the Keyless mobile app for authenticating. It’s available in the App Store and Google Play Store. Downloading the app takes less than one minute.
Browser support Make sure your employees can use one of the support browsers listed on the Useful information section below. Keyless supports all common web browsers.
Users will begin with the link provided in their enrollment email. Users will be asked to login with their corporate account credentials:
Once successfully signed in with their existing username and password, users can scan a QR code with their mobile authentication device using the Keyless Authenticator app:
The user will then be prompted to authenticate by showing his face in the Keyless Authenticator application. If successfully authenticated, the following screen will appear. The user is now enrolled and his account is activated.
Emails can be re-sent to users. If an existing user tries to re-enroll, Keyless will notify him that he cannot re-enroll before deleting his previous account.
If an existing user tries to re-enroll with his existing device, Keyless will notify him that he cannot re-enroll before deleting his previous account.
Notifying employees and providing clarity around the deployment.
Get your IT or Support teams ready
We wish there was more to request, but these are really the only prerequisites we have for your employees.
If a user says that they cannot scan the QR code, ask them to verify that they have allowed the app access to the phone’s camera; otherwise they will not be able to scan the code. More information on this process is available in our
This guide is for Admins, IT managers and Help Desk staff who are supporting a Keyless deployment.
User Experience is at the forefront of Keyless products, and we understand that the experience of using Keyless can be new and confusing in certain environments, especially if people have grown accustomed to insecure passwords such as qwerty, password, and 123456.
Rolling out passwordless MFA to your company can produce questions from your end-users. This document is designed to provide you with quick answers to issues experienced by users and a structure for diagnosing and supporting their passwordless journey.
Help desk and IT staff are an important component of any Keyless deployment. Education and awareness are key factors in ensuring their success and ultimately your success in deploying Keyless. Use these resources to train your team in supporting Keyless users throughout the deployment.
Additional content and information that can help you during your Keyless rollout
Some terms you may encounter in this documentation, among your internal IT team, or from end users
The process of adding an account to the Keyless Authenticator application. In a quick, 30 second process, the end user can add an account by scanning a QR code and authentication using the Keyless Authenticator application.
The process of using the Keyless Authenticator application to gain access to certain applications, service or workstation.
The act of removing a Keyless account associated to a specific users.
The web or workstation service which an administration uses to generate policies and access for users of a specific service.
A user’s authentication device type (iPhone, Android, etc).
This is an out-of-band authentication request that is sent to the Keyless Authenticator App on an enrolled device
The Keyless team is available to assist with any request through our help service portal available online. There, you will be able to view existing requests submitted for your organization and can request new tickets.
Once a user is enrolled, authentication with Keyless is fast and secure. The user simply logs in to the relying party service using only his username. The user will then get a push notification to the Keyless Authenticator app asking him to authenticate by showing his face. Upon successful authentication, the user will be granted access to the relying part service.
For a full walkthrough of the authentication flow, please refer to the End User Guide.
Pieces of information that could help you provide better support for your employess.
Enabling backups is highly recommended.
To enable the backup functionality, please make sure that the user has the most updated Keyless App from the App Store or Google Play and follow the steps below:
Make sure that iCloud Drive is enabled on your device and you have enough space to perform the backup (at least 1 Mb):
Go to Settings - [Your Name] - iCloud - and make sure iCloud Drive is enabled.
Open the Keyless app and click the gear icon in the top right corner to go to “Settings”.
Check "Enable Backups" and wait a few seconds for the operation to be completed successfully.
Make sure that you have enough space on Google Drive to perform a backup (at least 1 Mb)
Open the Keyless app and click the gear icon in the top right corner to go to “Settings”
Check "Enable Backups" and wait a few seconds for the operation to be completed successfully.
Users must make sure they are using one of the supported web browsers. If the problem persists, users may need to clear their cache and cookies.
The user needs to make sure that the face:
is fully visible in the preview on the screen.
is not covered by hair, a scarf, a hat, or a mask.
is adequately illuminated.
Make sure that there are no direct light sources on the device's internal camera as these light sources may compromise the enrolment process.
The user must ensure that he/she has entered their email correctly, and that the phone has internet connection.
The user must disable "Do not disturb", "Do not disturb while driving" on the smartphone.
The user must verify that they have enabled notifications for Keyless Authenticator:
On Android devices:
Long press on the Keyless Authenticator icon
Open the "App info" item in the menu
Open the "Notifications" item
Make sure that "Show notifications" is enabled
On iOS devices:
Open the Settings application
Open Notifications -> Keyless
Make sure "Allow Notifications" is enabled
Timeouts are a common foundation for security and a consistent source of hidden risk to an end user’s experience.
On Authentication: Most timeouts can be resolved by having the user repeat the action, such as authentication, and quickly proceeding to their next action – such as authenticating. On Pairing: Timeouts equally serve to limit the exposure of a user’s active enrollment.
Users may experience timeouts during registration for several reasons:
A user has reached an active QR scan screen – and is downloading the mobile application and this has led to a timeout of the QR screen. Simply have the user have their app open with their scan QR camera ready and select try again on the workstation.
A user has reached the QR screen, and the QR screen has vanished – or timed out – while the user is in the middle of enrolling or registering an authenticator. The user is unfortunately taking too long to complete the pairing. Try and have the user do this again during a troubleshooting session and identify which part of the process is taking the user the most amount of time.
Provide your employees with detailed instructions on how to use Keyless.
This guide details the steps required to configure Keyless as a passwordless authentication solution for your Okta cloud instance.
Keyless and Okta deliver true passwordless authentication for the workforce and for consumers.
This document provides a step-by-step introduction for configuring Okta to work with Keyless. In this guide Keyless will be set up as both an OpenID Connect service provider and a OpenID Connect identity provider for Okta.
The OpenID Connect SP configuration is configured to allow users to authenticate with Okta into the Account Linking page.
The OpenID Connect IdP configuration allows enrolled users to authenticate with Keyless to get access directly into their Okta portal or Okta enabled apps.
Make sure to visit the Keyless Support Center. In the Support Center you will find links to documentation, guides, and important information. In addition, you can contact Keyless support via our help desk service.
The Keyless team is available to assist with any request through our help service portal available online. There, you will be able to view existing requests submitted for your organization and can request new tickets:
Step 1: Start from our Support Center available online at http://keyless.io/support.
Step 2: Click “Support Request” from the main support page. This will redirect you to the Keyless service desk:
Step 3: Click create a ticket - provide as much context and we will be well positioned to provide speedy support.
Step 4: Upon successful creation - you should receive an email with confirmation on creation that includes a link you can use to track the support request. A support team member will reach out to you about your new request and work with you to make sure it is addressed.
Step 5: To view tickets you have raised or have been added to - once signed in, tap "Requests" button at the top right corner of the screen. This page provides an overview of all requests you have submitted including information on creation time, activity, and status.
Level 3 Support has the ability to contact Keyless Support directly to raise issues that have no clear resolution. Keyless support will work with your teams to reach rapid resolution. You can access the support portal. The support portal serves several purposes. You can:
Raise and monitor support requests
Browse our documentation and knowledge baseFind the latest Keyless product offering
Once you are logged into the portal you can submit a request by tapping the “Submit Request” button.
Use the description text that best matches the scenario. An example of a request containing information which will reduce the time to resolution may include:
Phone Model: IPhone 8
Phone OS: iOS 13.2.2
Time of Issue: I experience the issue as early as 4:30 am EST to trying after hours as late 9:30 p.m. EST
Place of Issue: Office
Relevant Log Files/Screenshots: as attachments
Issue: User Is unable to unlock their workstation using Keyless
Steps taken when issue is experienced:
Step 1 ....
Step 2...
Step 3...
The Keyless Authenticator application contains an easy to use menu to enable the user to provide help desk teams with information about the user's associated software and devices.
Encouraging users to upgrade to the latest version of the Keyless Authenticator application and the latest available operating system may improve application performance and reduce the risk of bugs while improving the security of the user experience.
To guide a user in how to submit mobile information to your organization, ask the user to select the Settings menu, or gear in the top right corner of the main screen of their mobile app. From here, have the user select “Contact Support” and the user’s email service will appear with the contents of the message.
If the user receives an error message and their email service does not appear, this indicates the user’s email client is not currently configured. Inform the user and ask them if they would be interested in setting up their email client on their mobile device.
The OpenID Connect SP configuration is configured to allow users to authenticate with Okta into the Account Linking page.
Prerequisites
Login and Logout redirect URIs provided to you by Keyless.
Log into your Okta administration portal.
Go to "Applications" on the top menu and click "Applications"
Click "Add Application"
Click "Create New App"
Select 'Web' as the platform and "OpenID Connect" as the Sign on method then click the "Create" button.
Name the app "Keyless Account Linking". You can also optionally provide an App logo here, which will display as an icon in the user's portal.
Add the login and logout redirect URI that were provided to you by Keyless.
The new application has just been created. On the page that shows up, click on the "Edit" button and change the allowed grant types by selecting Implicit (Hybrid) -> Allow ID Token with implicit grant type and Allow Access Token with implicit grant type.
On the Assignments tab in that same page, click on the Assign button -> Assign to Group. Here you can choose which group of users will access the application. In this case we will choose “Everyone”, which will let every user of the org use the Keyless account linking application.
Back on the General tab, on the bottom of the page, take note of the Client Id and of the Client Secret that Okta provided to you and pass them on to Keyless through a secure 3rd party method.
A few things you should know before starting the deployment.
As part of your onboarding with Keyless, you should have performed the steps below:
Provide the Keyless IT department with the domain name of your ADFS service.
Update the ADFS configuration to trust the domain names of the Keyless SAML connectors (SP & IdP) that Keyless provided you with.
Ensure that the firewall policy of your local network allow the following:
The ADFS service must be reachable by our SP and IdP.
For account linking, the user browser must be able to communicate with the SP and the ADFS instance.
For authentication, the user browser must be able to communicate with the IdP and the ADFS instance.
The EUD must be able to communicate with the Keyless Infrastructure.
If you think that you are missing one or more of theses prerequisites, please reach out directly to support@keyless.io.
This guide details the steps required to configure Keyless as a passwordless authentication solution for your ForgeRock instance.
The OpenID Connect IdP configuration allows enrolled users to authenticate with Keyless to get access directly into their Okta portal or Okta enabled apps.
From your Admin dashboard, go to "Security" on the top menu and click "Identity Providers":
Click "Add Identity Provider" and select "Add OpenID Connect IdP"
In the following screen configure the following:
Values are extracted from the well-known file you received from Keyless.
If you don’t want to assign through JIT (Just in Time) provisioning to a specific group, select the option “Redirect to sign-in page” under If no match found. This will block the use of the Keyless authentication as a profile master, letting Okta account system manage user’s subscription to the org.
In the end of the configuration, click on Update Identity Provider. On the Identity providers page, you will see that your IdP has been created. If you expand its information view, you will see all the details you need to use the external IdP on a deployed Keyless Auth service. Take note of the IdP ID and Redirect URI.
At this stage, please provide Keyless with the following through a secure channel:
Client ID and Secret of Account Linking App.
Client ID and Secret of Identity Provider.
IdP number and redirect URI of the Identity Provider.
Under "Identity Providers" go to "Routing Rules" to configure which users and groups will have access to the Keyless Identity Provider and will use Keyless as their authentication method.
Make sure that the Keyless Account Linking application is configured to use the default Okta identity provider (as the first rule) so that users will be able to link their account properly.
Integrating Keyless with Active Directory Federation Services
This integration provides a Keyless multi-factor authentication prompt to web-based logins through an AD FS Identity Provider and/or Web Application Proxy. After completing primary authentication to the AD FS server , your users will be required to complete a Keyless challenge before getting redirected back to the relying party.
A high-level architecture diagram of the integration can be found below.
Common issues and solutions for Keyless and ADFS integration.
Please confirm that you are able to reach https://<customer>-registration.keyless.technology/metadata/
from your network, where <customer> is the domain given to you by Keyless.
Select the <customer>-registration.keyless.technology ‘Relying Party Trust’ in ADFS
Click on ‘Edit Access Control Policy'
Select ‘Permit specific group'
Please open PowerShell as administrator on your ADFS and enter this command:
On the ADFS ‘Home Realm Discovery’ screen, the browser on users’ devices may cache the list of login options. Clearing the cookies in the browser solves the problem.
Integrating Keyless with Active Directory Federation Services
This guide details the steps required to configure Keyless for your ADFS instance. Integrating Keyless with ADFS is a simple 2-step process that you can get up and running in less than 10 minutes.
This guide assumes that you have experience installing and configuring Windows Server 2016 or 2019, Active Directory, and Active Directory Federation Services (ADFS) 2016 or 2019.
For more information on installing ADFS, please see the ADFS 2016 Deployment Guide.
Login to your ADFS Management portal from your Server Manager by clicking "Tools" from the top navigation bar and selecting "AD FS Management
Once you are in the AD FS Management Portal, right click on “Relying Party Trust” and select “Add Relying Party Trust…” from the right-pane menu, as shown in the image below.
This will open a 5-step wizard. In the first step of the wizard, select the default value of “Claims Aware” and click “Start”.
In the following screen, import data about the relying party published online. Enter your metadata URL which was provided during the provisioning of your account. For this example we are using https://contoso-poc-registration.keyless.technology/metadata/
where <contoso-poc>
represents the handle used to identify your instance.
For provisioning questions, contact support@keyless.io
After inserting the URL, click “Next”.
You may now optionally change the Display name for the relying party, and add an optional note. This is a friendly name that will be displayed to administrators in the AD FS console and to end users. Click “Next” once done.
In the next step, you will be required to define the access control policy, this will configure which user and groups will be able to register and use Keyless. After selecting the proper users and groups, click “Next”.
The next step, called “Ready to Add Trust”, is an overview of the configuration from the previous steps. Please take a minute to review the parameters configured and click "Next" when ready.
In the last step, leave the checkbox checked. When done, click “Close” and finish the process of adding the Relying Party Trust.
After completing Step 1 above, you should be able to see the new relying party trust you’ve just created under the “Relying Party Trusts” folder in your AD FS Management Portal.
Right-click on the relying party trust you’ve just added, and select “Edit Claim Issuance Policy” from the menu.
In this step you will define the rules that will transform the claims sent to the Keyless relying party.
Go ahead and define two rules by clicking “Add Rule” in the bottom part of the dialog:
Rule 1: Send UPN as Email Address
Rule Type: “Send LDAP Attributes as Claims”
Rule Name: “Send UPN as email address”
LDAP Attribute: User-Principal-Name
Outgoing Attribute: E-mail Address
After clicking "Finish" you should see the following rule:
Rule 2: Send UPN as NameID
Rule Type: “Send LDAP Attributes as Claims”
Rule Name: “Send UPN as NameID”
LDAP Attribute: User-Principal-Name
Outgoing Attribute: Name ID
After adding these two rules, you should see the following list of rules in the “Issuance Transform Rules” dialog.
Click "Apply" and "OK" to save your changes.
If you would like to configure Keyless as an MFA method for your ADFS connected applications, go to the next chapter "Authentication".
Configure Keyless as an MFA method for your ADFS connected applications.
This guide details the steps required to configure Keyless to be used as the authentications method for your ADFS instance.
Please complete Integrating Keyless with Active Directory Federation Services before moving on to this guide.
This guide assumes that you have experience installing and configuring Windows Server 2016 or 2019, Active Directory, and Active Directory Federation Services (ADFS) 2016 or 2019.
For more information on installing ADFS, please see the ADFS 2016 Deployment Guide.
Login to your ADFS Management portal from your Server Manager by clicking "Tools" from the top navigation bar and selecting "AD FS Management
Once you are in the AD FS Management Portal, right click on “Relying Party Trust” and select “Add Relying Party Trust…” from the right-pane menu, as shown in the image below.
This will open a 4-step wizard. In the first step of the wizard, select the default value of “Claims Aware” and click “Start”.
In the following screen, import data about the claims provider published online. Enter your metadata URL which was provided during the provisioning of your account. For this example we are using https://<acme-idp>.keyless.technology/metadata/
where <acme-idp>
represents the handle used to identify your instance.
For provisioning questions, contact support@keyless.io
You may now optionally change the Display name for the claims provider, and add an optional note. This is a friendly name that will be displayed to administrators in the AD FS console and to end users. Click “Next” once done.
The next step, called “Ready to Add Trust”, is an overview of the configuration from the previous steps. Please take a minute to review the parameters configured.
After completing Step 1 above, you should be able to see the new Claims Provider Trust you’ve just created under the “Claims Provider Trust” folder in your AD FS Management Portal.
Right-click on the Claims Provider Trust you’ve just added, and select “Edit Claim Rules” from the menu.
In this step you will define the rules that will transform the claims sent to the AD FS from Keyless.
Go ahead and define three rules by clicking “Add Rule” in the bottom part of the dialog:
Rule 1: Pass through Name ID as Windows account name
Rule Template: Transform an incoming claim
Claim rule name: “Pass through Name ID as Windows account name"
Incoming claim type: Name ID
Incoming name ID format: Unspecified
Outgoing claim type: Windows account name
Select the "Pass through all claim values" bullet button.
Rule 2: Pass through Name ID as UPN
Rule Template: Transform an incoming claim
Claim rule name: “Pass through Name ID as UPN"
Incoming claim type: Name ID
Incoming name ID format: Unspecified
Outgoing claim type: UPN
Select the "Pass through all claim values" bullet button.
Rule 3: Set Group Keyless
Rule Template: Send Claims Using a Custom Rule
Claim rule name: “Set Group Keyless"
Custom rule:
c:[]
=> issue(Type = "http://schemas.xmlsoap.org/claims/Group", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = "keyless", ValueType = c.ValueType);
Click "Apply" and "OK" to save your changes.
Please open PowerShell as administrator on your ADFS and enter this command (after replacing <keyless-registration-domain>
with the domain provided to you by Keyless):
This assumes that there is at least one user already enrolled with Keyless and that can be used for this test.
Go to https://<your-adsf-domain>/adfs/ls/idpinitiatedsignon.htm
and select the "Sign in to this site" option.
Click on the identity provider associated with Keyless IdP:
Here, provide the username (UPN format) of the test user and click the 'Continue' button.
At this point, the user should receive a push notification to the Keyless Authenticator app on his mobile phone. Once authenticated on the phone, the user should be logged in.
The following guide explains how to successfully connect Keyless to your AWS Cognito User Pool, so that you will be able to let your users login to your web app through Biometric Authentication
To enable Keyless authentication, login to your AWS Cognito dashboard and follow these steps:
Click on Federation > Identity Providers
Click on OpenID Connect
Insert ClientID, Client Secret and Issuer provided to you by Keyless, and configure the rest as shown in the following picture:
Click on Run discovery to make sure the IdP can be reached successfully
To let your users enroll on Keyless through AWS Cognito, follow these steps:
Click on General Settings > App Clients
Click on Add another app client
Choose an app name (tipically keyless_registration) and make sure Generate client secret is checked. Leave the default values for the rest.
Send Client ID and Client Secret to Keyless
Your configuration should look like the following image:
Click on App integration > App client settings
Insert Callback URL(s) and Sign out URL(s) provided to you by Keyless
Configure the rest as shown in the following image:
This guide details the steps required to configure Keyless as a passwordless authentication solution for your Auth0 cloud instance.
Keyless and Auth0 have partnered to deliver true passwordless authentication for the workforce and for consumers.
This document provides a step-by-step introduction for configuring Auth0 to work with Keyless. In this guide Keyless will be set up as both an OpenID Connect service provider and a OpenID Connect identity provider for Auth0.
In order to enable your users to authenticate into Auth0 enabled apps via Keyless you’ll need to configure Keyless as a trusted IdP on Auth0.
As part of the onboarding process you’ll receive the following pieces of information from keyless to complete a Trusted IdP configuration.
The steps are as follows
Create a new Enterprise Connection (IdP): Go to Authentication →Enterprise → OpenID Connect Click on (+) Icon
Provide a name for the Connection
Fill in OIDC Discovery URL in Issuer Field
Fill in ClientID provided by Keyless
Make a note of the callback URL that need to be sent to Keyless
Click Save
Once Saved go to Settings and General tab do the following
Select Back Channel as Type
Fill in client Secret field
Click Save Changes
Click on the ellipses (...) icon on the Connection just saved, Click Try Now
This will initiate a Keyless authentication
On successful authentication you’ll see the connection data
To enable enrolment of your users to Keyless we’ll need to configure a client application on Auth0. Parameters required to create the application on Auth0 are provided in your Keyless onboarding package. Once the application is configured you’ll need to send some configuration information back to Keyless to complete the configuration on Keyless end.
Following are the pieces of information from Keyless required to configure Auth0 Application:
Create Application: Applications --> Create Application --> Regular Web Applications
On Settings tab of the Application just created
o Make note of the following items that need to be sent back to Keyless
Domain
Client ID
Client Secret
Fill in the following information from the URLs provided by Keyless
Allowed Callback URL which is the Login URL (in the table above)
Allowed Logout URL which is the Logout URL provided
Allowed web origins which is the Redirect URI provided
Parameter | Description | Example |
---|
Parameter | Description | Example |
---|
Field
Value
Name
"Keyless"
Client ID
[an ID of your choice, which will need to be provided to Keyless]
Client Secret
[an ID of your choice, which will need to be provided to Keyless]
Scopes
email, openid, profile
Field
Value
Issuer
issuer
Authentication Endpoint
authorization_endpoint
Token Endpoint
token_endpoint
JWKS Endpoint
jwks-uri
User Info Endpoint
userinfo_endpoint
Field
Value
IdP Username
idpuser.externalId
Match Against
Okta Username
Account Link Policy
Automatic
Auto-Link Restrictions
None
If no match is found
Create New User (JIT)
Profile Source
check
Group Assignments
None
Login URL | OIDC Client configuration provided by Keyless | https://<your-enrolment-server>/signin-oidc |
Redirect URI | OIDC redirect URO provuded by Keyless | https://<your-enrolment-server>/signin-oidc |
Logout URL | OIDC logout URL provided by Keyless | https://<your-enrolment-server>/signout/callback |
Keyless Enrolment URL | URL to Keyless Enrolment page for end users: provided by Keyless | https://<your-enrolment-server>/ |
Login Icon | Can be used as the logon Icon for Keyless authentication on Auth0 Login page |
Discovery URL | OIDC Discovery endpoint provided by Keyless | https://your-keyless-tenant/.well-known/openid-configuration |
Client ID | OIDC Client ID specific to you organization provided by Keyless | - |
Client Secret | OIDC Client secret provided by Keyless | - |
This guide details the steps required to configure Keyless as a passwordless authentication solution for your ForgeRock instance.
This integration relies on the ForgeRock OIDC Node which is available in AM6.0 or greater.
As part of your onboarding process with Keyless, you should have received the following:
OpenID Connect Client ID
OpenID Connect Secret
OpenID Discovery URL
Create or modify a tree to use the OpenID Connect Node
Enter the following values for each configuration option in the OpenID Connect Node
Open a private window in your browser.
Navigate to the login page of the realm that Keyless is configured for.
Enter your username and authenticate with Keyless on your mobile device (make sure to use a user that is enrolled to Keyless)
You should now be logged into the ForgeRock portal.
This document provides a step-by-step introduction for configuring OneLogin to work with Keyless. In this guide Keyless will be set up as both an OpenID Connect service provider and a OpenID Connect identity provider for OneLogin
In order to enable your users to authenticate into OneLogin dashboard via Keyless you’ll need to configure Keyless as a trusted IdP on OneLogin.
As part of the onboarding process you’ll receive the following pieces of information from keyless to complete a Trusted IdP configuration.
The steps are as follows
Create a new Trusted IDP: Go to Authentication → Trusted IdPs → New Trust
Provide a name for the Trusted IdP configuration e.g. Keyless
Check Enable Trusted IDP
Check Show In Logon Panel, this will require you to choose an icon (default Keyless icon provided in onboarding package)
Fill in issuer URI
Check the following options:
Sign users into OneLogin
Sign users into additional applications
Send Subject Name ID or Login Hint in Auth Request
On User attribute section:
Fill in {tidp.preferred_username}
Select Email in User Attribute Mapping
Select OIDC as authentication protocol type and fill in the following fields in OIDC Configuration section (OIDC endpoint URIs, Client ID & Secret valued are provided in Keyless onboarding package)
Authentication Endpoint
Select POST as Token Endpoint Authentication Method
Token Endpoint
User Information Endpoint
In Scopes field type in: openid email profile
On Client Id & Client Secret fields fill in the values provided by Keyless
Click Save and that would complete our configuration
To enable enrolment of your users to Keyless we’ll need to configure a client application on OneLogin. Parameters required to create the application on OneLogin are provided in your Keyless onboarding package. Once the application is configured you’ll need to send some configuration information back to Keyless to complete the configuration on Keyless end.
Following are the pieces of information from Keyless (provded in your onboarding package) required to configure OneLogin Application:
Following are the Steps to configure the application:
Go to Applications → Add App
Search OIDC on Find Applications and select OpenId Connect (OIDC)
On Configuration screen provide a display name and uncheck Visible in portal and click Save
Under Configuration tab provide the following parameters provided by Keyless
Login Url
Redirect URIs (a single URI)
Post Logout URIs (a single URI)
Under SSO tab make note of the following 3-pieces of information that need to be sent back to Keyless for configuration on teh Keyless end
Client ID
Client Secret
Issuer URL
Make sure that Application Type is Web
Token Endpoint section Authentication Method is POST
Additionally on Users tab select the relevant Users/Groups to enable these users/groups to be enabled to get enrolled on to Keyless
Click Save to complete the configuration.
Your users now can use the Keyless enrolment URL provided to enrol their devices with Keyless
If you do not have one or more of these items, please reach out to .
Parammeter | Description | Example |
---|
Parameter | Description | Example |
---|
Field Name | Value |
Authentication Endpoint URL | To be found in the provided Discovery URL |
Access Token Endpoint URL | To be found in the provided Discovery URL |
User Profile Service URL | To be found in the provided Discovery URL |
OAuth Scope |
|
Redirect URL | Depends on your deployment configuration, typically: |
Social Provider |
|
Auth ID Key |
|
Use Basic Auth |
|
Account Provider |
|
Account Mapper |
|
Account Mapper Configuration |
|
Save Attributes in the Session |
|
Token Issuer | To be found in the provided Discovery URL |
OpenID Connect Validation Type |
|
OpenID Connect Validation Value | To be found in the provided Discovery URL |
Login Icon URI | Can be used as the logon Icon for Keyless authentication on OneLogin Login page | https://<your-keyless-tenant>/static/keyless.svg |
Issuer | OIDC issuer URI | https://<your-keyless-tenan> |
Authentication Endpoint | OIDC authorization endpoint URI | https://<your-keyless-tenan>/connect/authorize |
Token Endpoint | OIDC token endpoint URI | https://<your-keyless-tenan>/connect/token |
User Information Endpoint | OIDC userinfo endpoint URI | https://<your-keyless-tenan>/connect/userinfo |
Client Id | OIDC Client ID | 52c95463e9da3d00c28071ab9 |
Client Secret | OIDC Client Secret | 24060f8882fca7da11a6e2100fdf05334fd5c67f4f1111ce6c2f44d61720fc |
Login URL | OIDC Client configuration | https://<your-enrolment-server>/signin-oidc |
Redirect URI | OIDC redirect URI | https://<your-enrolment-server>/signin-oidc |
Post Logout Redirect URI | OIDC Logout URI | https://<your-enrolment-server>/signout/callback |
Keyless Enrolment URL | URL to Keyless Enrolment page for end users | https://<your-enrolment-server> |
The following two sections cover Keyless integration to Two PingIdentity solutions: PingOne Cloud SSO & Ping Federate
The following guide takes you through the process of enabling passwordless biometric authentication on Forgerock Identity Cloud to provide enhanced passwordless authentication experience to users
Keyless and Forgerock have partnered to deliver true passwordless authentication for the workforce and for consumers.
This document provides a step-by-step introduction for configuring Forgerock to work with Keyless. In this guide Keyless will be set up as both an OpenID Connect service provider and a OpenID Connect identity provider (Social Identity Provider) for Forgerock Identity Cloud.
Following is a short video to demonstrate Keyless authentication experience to Forgerock Identity Cloud.
All configuration will be performed on Forgerock Identity Cloud Platform Admin Console.
Log on to Forgerock Identity Cloud Platform Admin console for your tenant:
From Platform Admin Console Dashboard select the realm we will be doing this configuration for and navigate to Native Consoles --> Access Management
From Dashboard click on Services tile and click on Social Identity Provider Service Link
Click on Secondary Configurations tab and click on Add a Secondary Configuration dropdown select OIDC Provider
Select a name for out IdP client configuration: the table below provides a list on configuration items that need to be filled in
ensure that we click the Save button to save our IdP configuration and click enabled toggle button on top to have our IdP configuration active/enabled
Following is a sample normalization script (groovy) for our Keyless Social IdP
Next we'll need to configure an authentication Tree to enable our Social authentication: from realm dashboard select Authentication --> Trees --> Create Tree and provide a name: e.g. KeylessAuth
At this point you can access Forgerock Identity Cloud end user dashboard: you'll be prompted to authenticate with Keyless (as Keyless is the only authentication mechanism configured in this specific Auth tree as shown above)
URL: https://<<my-forgerock-tenant>>/am/XUI/?realm=/<<my-realm-name>>&authIndexType=service&authIndexValue=<<my-Auth-Tree-Name>>#/
Here's an alternative sample auth tree that provides options for both password based & Keyless (passwordless) authentication
For enrolment with keyless we'll need to create a new Application on Forgerock Identity Cloud for Keyless OIDC Service provider.
From our realm dashboard select Applications-->OAuth 2.0 --> Clients --> Add Client
Fill in the information required as described below:
Client ID: Provide a client ID: e.g. KeylessEnrolmentClient,
Client Secret: generate a client secret
If ClientID & Secret is provided by Keyless (that is enrolment service has already been created for you by Keyless) we'll be using those to populate the parameters above. If we are creating our own ClientID & Client Secret then, both ClientID & Secret need to be sent back to Keyless for configuration on the Keyless Enrolment service
Redirection URIs: A list of redirection URIs for your Keyless tenant has been provided by Keyless
Scope & Default Scope enter the following: openid profile cn mail
Click Create button and continue
Click on Advanced tab and configure the following:
Grant Types select : Authorization_Code & Implicit
Token Endpoint AUthentication Method select: clients_secret_post
Custom Properties type in the following: preferred_username=mail
Click on OIDC tab and configure the following
Client Session URI: this is provided by Keyless
Post Logout Redirect URI: this is provided by Keyless
Backchannel Logout URI: this is provided by Keyless
Post Logout Redirect URI: this is configured based on our realm name e.g. https://<<forgerock-tenant>>/enduser/?realm=<<realm-name>>#/dashboard
Click Save and that completes OIDC client configuration
Assuming we have completed the configuration steps above to configure Keyless OIDC SP/RP for enrolment we now sould be able to enrol for Keyless authentication
From a browser navigate to Keyless enrolment URL provided by Keyless
Authenticate using your credentials for Forgerock Identity Cloud
Browser will get redirected to Keyless enrolment page
Download Keyless authenticator app on your mobile device from AppStore or Google play
Scan the QR code displayed on Keyless enrolement page with your mobile device to complete Keyless enrolment
From a browser navigate to an application secured via Forgerock Identity Cloud SSO solution: e.g. Forgerock Identity Cloud end user dashboard:
https://>/am/XUI/?realm=/<>&authIndexType=service&authIndexValue=<>#/
Click on Continue with Keyless button
Provide your email enrolled with Keyless already
You'll receive a notification on you mobile device to complete biometic authentication using Keyless
Please follow these steps to remove the double authentication problem of the Palo Alto Networks VPN client. These steps require a change in the Portal and in the Gateway configuration.
From Palo Alto Web Management Site, go to Network → GlobalProtect → Portals and select the GlobalProtect Portal Configuration item associated with the endpoint that needs to be modified (e.g.,. pa-vpn-02).
Click on the name of the GlobalProtect item that you want to configure. The following screen will appear:
Go to the “Agent” section on the menu on the left. From the “Agents” table, click on the item you would like to configure (e.g., pa-vpn-client-02).
The following screen will appear:
From the “Authentication” tab, configure the “Authentication Override” section as follows:
Check the checkboxes next to the following items:
Generate cookie for authentication override
Accept cookie for authentication override
Set the attributes to following values as described:
Cookie Lifetime: “Hours” and “24”
Certificate to Encrypt: Select the certificate associated with the Palo Alto Networks Server (e.g., pa-vpn-server-02).
Click “OK” to save the settings.
Certificate example: The following screen shows a sample certificate for the Pa-vpn-server-02 location:
Sample Pa-vpn-server-02 certificate details:
Go to Network → GlobalProtect → Gateways. Select the GlobalProtect Gateway Configuration item associated to the endpoint that you would like to configure (e.g., pa-vpn-gateway-02), and click on it:
The following screen will appear:
Go to the “Agent” section on the menu on the left. From the “Client Settings” tab, click on the item you would like to configure (e.g., pa-vpn-client-02). Then, select the “Authentication Override” tab:
From the “Authentication Override” tab, configure the following options:
Check the boxes next to the following items:
Generate cookie for authentication override
Accept cookie for authentication override
Set the attributes to the following values as described:
Cookie Lifetime: “Hours” and “24”
Certificate to Encrypt: Select the certificate associated with the Palo Alto Networks Server (e.g., pa-vpn-server-02)
Click “OK” to save the settings.
Back on the GlobalProtect Gateway Configuration screen, click on the “OK” button.
Commit all changes using the Palo Alto Networks management portal.
The following guide takes you thorough the process of enabling passwordless biometric authentication on PingOne SSO to provide enhanced password less authentication experience to applications
Following is a short video to demonstrate Keyless authentication experience to PingOne Enduser Portal.
In our next short video we'll go over the process of enrolling a PingOne user to Keyless
Our final short clip is to demonstrate the initial login with Keyless to PingOne where a linked account is created on PingOne. This is a one time only step: once the accounts are linked authentication process works as shown on our very first clip
Logon to PingOne Admin console for your environment.
Create an External Identity Provider
Select the Custom option to create an OpenID Connect IdP
Fill in IdP profile details
Provide OIDC Connection details
Client ID: Provided by Keyless Account team
Client Secret:
OIDC Discover Document URI: Provided by
Click on Use Dicovery Document link to populate OIDC endpoints
Fill in OIDC scopes: openid profile email
Make a note of the callback URL generated by PingOne: This will be required by Keyless Account team
Provide OIDC attribute mapping between PingOne & Keyless IdP
Note that Keyless IDP will return username in preferred_username attribute on teh incoming claim
Enable Exernal IdP just created
Summary of Configuration on Keyless IdP
Update Authentication Policy to include Keyless External IdP
Under Experiences-> Authenticaiton Policies -> Single Factor Add Keyless External IDP as a IdP to be presented on Login
This completes configuration of Keyless as External Identity Provider
For enrolment with keyless we'll need to create a new Application on PingOne for Keyless OIDC Service provider.
Create an OIDC application of type Web App
Select OIDC and click on Configure link/button to continue to OIDC configuration
Provide a name, optionally a description and an icon that can be uploaded
Enter OIDC redirect URL provided by Keyless
Configure OIDC scopes: openid, profile & email
Configure Attribute mapping: preferred_username is the outbound attribute that would be populated with users email address as below:
On completion OIDC application configuration would look like the following, relevant items highlighted below can be edited and saved here
This completes the OIDC Service Provider/ Keyless Enrolment end of configuration.
From a webrowser navigate to the enrolment URL provided by Keyless account team. Browser will follow redirect an take you to PingOne Logon page where you'll need to authenticate with PingOne credentials:
On succesful authentication browser gets redirected to Keyless enrolment site where you can enroll your mobile device by scanning the QR code displayed on screen
From a web briwser navigate to an application secured using PingOne SSO solution e.g. PingOne Application Portal URL: https://apps.pingone.com/<<your-tenant-id>>/myapps/
Authenticate with Keyless option on the logon screen will initiate passwordless authentication with Keyless
Your enrolled mobile device will receive a notification to perfrom a biometric authentication
On initial logon with Keyless PingOne performs account linking and you may have to enter your password
This document will describe the required steps to integrate a Fortinet FortiGate Firewall with Keyless Radius Server.
FortiClient is a VPN solution from Fortinet and can be integrated with Keyless to provide a passwordless login experience. In this guide, will show how this can be accomplished using the Keyless RADIUS Appliance.
At least one account has been configured with the Keyless Authenticator so that it could be used to test authentication on the Keyless Radius server.
FortiGate is already up and running and its initial setup is out-of-scope of this guide.
This document is based on the below network configuration (i.e. network setup, routes, etc. Different steps may be required steps if your set up is different.
This walkthrough will use FortiGate version 6.4 version is used. Steps may vary between client versions.
From the FortiGate Management Portal go to "User & Authentication" --> "RADIUS Servers" and click "Create New".
Set a meaningful name in the "Name" field for the Keyless Radius Server (i..e "Keyless_Radius").
Leave Authentication method set to Default. Note: The PAP, MS-CHAPv2, and CHAP methods will be tried in order. The Keyless RADIUS connector uses PAP.
Under Primary Server, set "IP/Name" to the IP and "Secret" to the shared secret configured on the RADIUS server that was provided to you.
Example:
To confirm that FortiGate can successfully establish a connection with Keyless Radius Server click on the Test Connectivity button. If everything is fine, the below message will be shown:
Click "OK".
At this point, the Radius Server Authentication will not yet work because the remote authentication has been modified.
To configure the user group:
Go to "User & Authentication" --> "User Groups" and click "Create New".
In the "Name" field, enter a group name (i.e. KLS_VPN_Group )
In the "Remote Groups" area, click "Add", and from the Remote Server dropdown, select the Radius Server previously created (i.e. KLS_Radius )
Click OK, and then click OK again.
To configure the SSL VPN settings:
Go to "VPN" --> "SSL-VPN Settings".
From the "Listen on Interface(s)" dropdown select the port associated to the Fortigate Public IP (i.e port1).
In the Listen on Port field enter 10443.
Optionally, from the Server Certificate dropdown, select the authentication certificate if you have one for this SSL VPN portal.
Under Authentication/Portal Mapping, set the default portal web-access.
Select "All Other Users/Groups" and click "Edit".
From the Portal dropdown, select "web-access".
Click "OK".
Create a web portal for KLS_VPN_Group
Under "Authentication/Portal Mapping", click Create "New".
Click "Users/Groups" and select the KLS_VPN_Group.
From the Portal dropdown, select "full-access".
Click "OK".
To configure SSL VPN firewall policy go to "Policy & Objects" --> "Firewall Policy" > "IPv4 Policy".
Click "Create New" to create a new policy, or double-click an existing policy to edit it and configure the settings below:
Configure any remaining firewall and security options as desired and click "OK".
Example:
Open the Fortigate CLI and execute the following commands:
Go to "User & Authentication" --> "RADIUS Servers"
Select the Radius Server item and click on the Edit button
Click on "Test User Credentials"
Provide your account username
Provide a random fake password (Fortigate client requires a non-empty password)
The Keyless Authenticator app will be invoked during authentication process.
Click on the Test button
Check the Keyless authenticator app on your phone to authenticate.
Once authenticated, the below message will be shown:
This document will describe the required steps to integrate a Check Point VPN with the Keyless Radius Server.
Check Point Secure Remote Access is a VPN solution from Check Point that can be integrated with Keyless to provide a secure login experience. In this guide, will show how this can be accomplished using the Keyless RADIUS Appliance.
At least one account has been configured with the Keyless Authenticator so that it could be used to test authentication on the Keyless Radius server.
Check Point Server is already up and running - its initial setup is out-of-scope of this guide.
Check Point Mobile Access role has been configured and a VPN connection with a stand username and password is up and running.
An Internal network (i.e. CP_Default_Office ) where VPN clients will direct has been created.
This document is based on the below network configuration (i.e. network setup, routes, etc). Steps may vary according to your network configuration and architecture.
This walkthrough will use Check Point stand alone version R80.40 where both the management and gateway server roles are installed. Steps may vary between Check Point server and client versions.
Open Check Point SmartConsole, select the Gateway that will use the Keyless RADIUS server and click on "Edit".
1. In the SmartConsole, create a RADIUS Host object by selecting "New" > "Host".
2. Name the Host object with a meaningful name (i.e. Keyless RADIUS Connector ) and assign its Public IP address.
3. Create a RADIUS Server object by selecting "New" > "More" > "Server" > "More" > "RADIUS".
Configure the following values:
Name the RADIUS Server object (i.e. Keyless RADIUS).
Associate the RADIUS Server object with the RADIUS Host object created in the previous step (i.e. Keyless RADIUS Connector).
Select "NEW-RADIUS" on port 1812
The Keyless RADIUS Connector listens on port 1812
Select RADIUS Ver. 2.0
Select PAP as Protocol
Select 1 as Priority (it is assumed that this is the only RADIUS Server)
Click "'OK".
No, go to "VPN Clients" > "Office Mode" and configure the following values:
Select "Allow Office Mode" to all users.
Office Mode Method
Select "From ipassignment conf located in $FWDIR/conf - always tried first"
Using one of the following methods
Select "Manual (using IP pool)"
Select an internal network that has been previously configured
Click on the "OK" button.
Now go to "Mobile Access" > "Authentication" in the Check Point SmartConsole.
Click on the "Settings" button and configure as follows:
Check "Allow newer clients that supports Multiple Login Options to use this authentication method".
Display Name: RADIUS
Authentication method: RADIUS
Server: Select the RADIUS Server previously created (i.e. Keyless RADIUS)
Click on the "OK" button.
Now go to "Mobile Access" > "Office Mode" and configure the following values:
Select "Allow Office Mode" to all users
Office Mode Method
Select "From ipassignment conf located in $FWDIR/conf - always tried first"
Using one of the following methods
Select "Manual (using IP pool)"
Select an internal network that has been previously configured
Click on the "OK" button.
In the SmartConsole, go to the "Manage & Settings" tab.
Click "Blades".
Click "Mobile Access" > "Configure in SmartDashboard"
From the Network object tree, click the Users icon.
Right-click "External User Profiles and select "New External User Profile" > 'Match all users...".
Configure this profile as follows:
External Username Profile: generic* (should be the default option)
Authentication Scheme: RADIUS
Select a RADIUS Server or a Group Of Servers: Select the RADIUS Server object previously created (i.e. Keyless RADIUS)
Click "OK" and close the SmartDashboard.
Install the policy in the SmartConsole portal.
Start the installation wizard and select the "Endpoint Security VPN" option when asked:
On the bottom right corner of Windows taskbar, click on the Check Point VPN Client icon and the click on "Connect to..."
Select "Yes" if your are prompted with the following message.
Click "Next".
Server address or Name: Provide the Check Point Server Public IP (i.e. 88.99.77.89)
Display Name: CheckPoint VPN Name (i.e. Keyless VPN )
Click "Next"
Once the VPN client has discovered Check Point VPN Server, select RADIUS (default) as the login option and click "Next".
Select "Username and Password" and "Next".
Click on the "Finish" button.
On the bottom right corner of Windows taskbar, click on the Check Point VPN Client icon and the click on "Connect to..."
Username: provide the username that you’ve used during the enrollment process with Keyless Authenticator
Password: provide a random fake password (the Check Point client requires a non-empty password)
Click "Connect"
You’ll receive a notification on Keyless Authenticator. Once you’ve been authenticated, VPN Client will be connected.
Paramaeter | Description | Example |
---|---|---|
Assign the same Shared Secret that you configured on the Keyless RADIUS Connector deployment ().
The Check Point VPN client can be downloaded from .
Name
Select a naem from Social IdP configuration
Keyless
Auth ID Key
OIDC claim that identifies the user
sub
Client ID
OIDC Client ID: Provided by Keyless
-
Client Secret
OIDC Client Secret: Provided by keyless
-
Well Known Endpoint
OIDC discovery URL: provided by Keyless
https://<my-keyless-tenant-fqdn>/.well-known/openid-configuration
Issuer
OIDC Issuer URL: provided by Keyless
https://<my-keyless-tenant-fqdn>
Client Authentication Method
Authentication method for OIDC Client
CLIENT_SECRET_POST
PKCE Method
OIDC PKCE coonfiguration
S256
Response Mode
OIDC Response mode
form_post
Oauth Scopes
OIDC/OAuth scope parameter
openid profile email
Scope Delimiter
Scope delimiter
<<single-space-character>>
OIDC Endpoints
Authorization, token, userinfo, JWKS endpoints: these are all provided by Keyless, also can be retrieved from the OIDC Discovery URL provided.
https://<my-keyless-tenant>/connect/authorize
Redirect URL
OIDC redirect from Keyless IDP on completeion of authentication. This will depend on our realm and the name of our Social IdP we chose at the very top of this table
https://<<my-forgerock-tennant>>/am/oauth2/realms/root/realms/<<my-realm-name>>/client/formpost/<<Social-IDP-Name>>
UI Config Properties
Add a property: buttonDisplayName
Keyless
Add a property:
(URL for the value is provided by Keyless)
buttonImage
https://<my-keyless-tenant>/static.keyless.svg
Transform Script
Script to transform/normalize the incoming cliams from Keyless IDP
We'll provide a sample script, to do just that, for initial configuration we can choose an existing script from the dropdown list of canned scripts.
Field Name | Value |
Name | Enter the firewall policy name. |
Incoming Interface | Select SSL-VPN tunnel interface (ssl.root). |
Outgoing interface | Set to the local network interface so that the remote user can access the internal network. For this example, select port2. |
Source | In the Address tab select SSLVPN_TUNNEL_ADDR1. In the User tab, select KLS_VPN_Group. |
Destination | Select the internal private subnet 10.0.1.0/24. |
Schedule | Select always. |
Service | Select All. |
Action | Select Accept. |
NAT | Set to Enable. |
Getting up and running with the Keyless RADIUS appliance on Docker
For use with VPNs, and other Network Access Systems, Keyless provides a Docker container that can be used to authenticate via the RADIUS protocol. The Keyless RADIUS connector is provided in the form of a Docker image. The docker image is provided through a package which builds the image locally through a Dockerfile.
The docker image and all the required configuration parameters are provided to you during your onboarding. If you did not have one or more of these items, please reach out to support@keyless.io.
The RADIUS connector acts as a RADIUS server towards the VPN and needs to be reachable via UDP on ports 1812-1813 from the VPN servers.
Additionally, the RADIUS server needs to be able to reach TCP port 443 of our backend server. The URL of our backend servers was provided to you during your onboarding. If you do not have the URL, please reach out to support@keyless.io.
Last, the RADIUS server needs to be able to resolve DNS names. Typically, this functionality is provided by the Docker host environment.
If required, the IP of our backend server was also provided during your onboarding process.
As mentioned, a username and a password are required to download the connector. Both the clients.conf
configuration file and the startup script is provided in the keyless-radius.zip file which was provided to you during your onboarding.
Create a .env
file containing the following parameters provided to you by Keyless
Configure the IP address and shared secret for all your VPN servers in this file
Build and run the image using the script
If you encounter issues, try the debug mode and please check the logs of the provided connector. You can also stop and delete the connector with the command below.
A few things you should know before starting the deployment.
Keyless Workforce Access for Windows installer.
Service Host URL.
Tenant Name.
API key.
.NET 4.8+
Windows 10 Editions: Home, Pro, Enterprise.
Windows 64-bit 7*, 10 (1709+)
If you think that you are missing one or more of these prerequisites, please reach out directly to support@keyless.io.
Use Keyless Workforce Access to login to your Windows 7, 10 workstations securely!
Keyless Workforce Access allows you to eliminate passwords from your Windows 7 and 10 employee login experience and improve security with just a look.
Deploy it in less than an hour on any Windows workstation.
How to upgrade Keyless Workforce Access to a newer version.
Administrator privileges are required to update the application.
To upgrade from an older version of Keyless Workforce Access to the latest without removing the current configurations, use the following command:
This page explains how to configure Offline Access Mode for the user.
Offline Access Mode enables a user to perform a workstation login when there is no internet connection either on the workstation or the user's mobile device. There are no additional steps needed in order to configure Offline Access Mode for users, but it is important that the IT teams understand how to operate the offline functionality.
All users with an enrolled authenticator device can enable and disable Offline Access Mode without escalated privileges.
Enabling and disabling Offline Access Mode is done via the Keyless tray application accessible on the tray bar:
By default, Offline Access Mode is disabled for all users on a given workstation. To enable Offline Access Mode, the user should click on the Keyless tray icon and select "Enable Offline Access".
To ensure maximum security, once enabled Offline Access Mode will only be available for 7 days and 10 login attempts. Once either of these criteria are met Offline Access Mode will be automatically disabled and users will need to re-enable Offline Access Mode or use the standard "online" login.
Each successful "online login" will reset the counter back to 7 days.
If, for example, a given user enabled Offline Access Mode 6 days ago and is now logging in via the standard "online" mode, the counter will reset back to 7 days upon successful login.
If you wish to change the default values of 7 days and 10 login attempts, please reach out to Keyless customer support.
A given user can view the current status of his Offline Access Mode by clicking on the "Show Status" option form the Keyless tray app:
Offline Status: Enabled or Disabled
Offline Sessions Remaining: the number of offline logins left for the given user on the given workstation.
Offline Time Remaining: the amount of time left for the given user on the given workstation for offline access. Resets on a successful "online" login.
How to configure Keyless Workforce Access after installation.
Keyless Workforce Access can be configured at install time via the command line at install time, or manually via the Keyless Login Manager.
Administrator privileges are required to configure Keyless Workforce Access.
Keyless Login Manager is installed as part of the product installation flow and can be accessed with administrator privileges by searching for "Keyless Login Manager" application in Windows.
By default Keyless Login Manager is installed in the C:\Program Files\Keyless Technologies\Bin\ directory.
After MSI installation, unless you supplied command line configuration parameters, the following configuration is applied:
Activate Keyless authentication: (Disabled by default) To enable Keyless Workforce Access, make sure this option is checked. If at any time you wish to disable Keyless Workforce Access on this workstation you may simply uncheck this option. Note: that activation will have no effect unless the following three fields are defined.
Service Host: (Undefined by default) The URL to the service host, provided to you by Keyless.
Tenant Name: (Undefined by default) Your organization's tenant name, provided to you by Keyless.
API Key: (Undefined by default) This is specific to your Keyless tenancy and will be provided to you by Keyless.
Log File: the location in which you would like to save the logs produced by Keyless Workforce Access. By default this option will save logs to a sub-folder of the installation path.
Log Level: (Default 4) The level of log detail that will be saved (1-least detailed, 5-most detailed).
Enable Passwordless Login: (Enabled by default) Check this option to allow Windows authentication via Keyless only (no password input required) on this workstation. If the option is not checked, Windows authentication will require user's password and Keyless as an additional factor.
Click "Apply" to save your changes.
The Group Assignment tab allows optional assignment of specific groups to Keyless authentication.
By default all local user and all Active Directory users who are not administrators are assigned to Keyless authentication.
Keyless Workforce Access is applied to all users except for Administrators by default.
To include admins for Keyless authentication, uncheck the "Exclude Admins from Keyless Authentication" checkbox. Note: excluding administrators is highly recommended as part of the initial deployment.
To apply Keyless Workforce Access only on specific Active Directory groups on this workstation, select "Assign Keyless authentication on following group(s)" option in the dropdown under "Keyless Policy".
Next, click the "+" or "-" buttons on the right to add or remove Active Directory or local groups:
Use the dropdown labeled "From this location" to select between Active Directory and local groups.
Click the "Show All" button to display a list of all groups. From here the groups required can be selected.
Click "OK" to complete the group selection.
The Keyless Login Manager will display the groups that Keyless Workforce Access will be enabled on.
After you've configured Keyless Workforce Access and defined the set of users that will require Keyless authentication on this machine, you can test Keyless for specific users from the Test Authentication tab.
To validate your configuration, enter the User Principal Name of a user who has previously enrolled a trusted device for Keyless authentication and click "Test".
This should trigger an authentication request on the trusted device. Presenting the user's face and completing authentication will result in the message shown above.
Failure to authenticate will time out the test after 60 seconds.
Make sure that the user you are testing on has already enrolled with Keyless. The test will send a push notification to the user's Keyless app on his mobile device.
How to install Keyless Workforce Access.
Keyless Workforce Access can be installed either manually via the MSI installation package wizard or silently via the command line interface.
Administrator privileges are required to install Keyless Workforce Access.
Rather than performing a silent install, you can use the MSI installation package provided by Keyless in UI mode. Double click the .msi installer provided to you and you will see the following Wizard:
1. Click "Next".
2. Select Installation Folder (the directory in which Keyless Workforce Access will be installed).
3. Click "Next".
4. Wait for installation to complete and click "Close".
Keyless Workforce Access can be installed silently from the command line using msiexec.
The following command line will install the product with default configuration (inactive).
It is also possible to install and configure Keyless Workforce Access at the same time, by including the following parameters on the command line;
** Activation will only happen if the three required parameters are properly configured (URL, TENANT, API).
The example below supplies the three required parameters and then enables Keyless Workforce Access immediately.
How to remove the application.
Removal will delete all of the registry keys and installation artifacts from the target workstation. This action can be performed silently, with MSI Wizard, or with the Windows Control Panel.
Administrator privileges are required to remove the application.
Navigate to the application ‘Add or remove programs’.
From the menu of installed applications search and select ‘Keyless Workforce Access’ and select the option to ‘Uninstall’.
The uninstallation wizard will be initiated. Select ‘Yes’ to continue with the uninstallation. Windows will require an administrative prompt to complete this uninstallation.
Restart your workstation to complete the uninstallation.
Click to open the Keyless Workforce MSI file on your workstation.
Click "Next"
Select "Remove" Radio Button
Click "OK".
A silent uninstall can be executed using msiexec from the command line:
Parameter
Description
Values
Default
URL
Service Host URL for Keyless authentication
Value supplied by Keyless
"Undefined"
TENANT
Unique Tenant Name for your company
Value supplied by Keyless
"Undefined"
API
Unique API Key for your company
Value supplied by Keyless
"Undefined"
LOCAL_GROUPS
Comma separated list of local user groups for which Keyless Workforce Access will be active
Example:
"desktop_W53\Users"
"*"
AD_GROUPS
Comma separated list of AD user groups for which Keyless Workforce Access will be active
Example:
"keyless-lab\HR_ users"
"*"
ACTIVATE
Enable Keyless Workforce Access if possible**
"1" | "0"
"0"
Admin Portal is a tool which helps you monitor various user activities on your system such as enrolment and authentication, as well as enabling you to de-enroll users manually.
It contains a lot of aggregated statistical data which can help you analyse how is your system being accessed.
Currently, you will have to request from the Keyless team to provide credentials to you. The same applies if you forget your credentials.
Once logged in, you will see several tabs on the top bar available to you:
Overview - Displays system health status and provides various statistical data
System Log - Displays logs for all user actions, separated by action type
Users - Displays all relevant information about your end users
On the far right, there is a "Logout" button which logs you out of the portal when clicked.
Aside from that, on the bottom bar you will find:
Privacy - Link to Keyless Privacy Policy section
Support - Link to Keyless Support Center which contains all relevant integration and end user guide and Live Support
Feedback - Link to provide product feedback to us. We are always eager to hear what we could do to improve your experience!
Use Keyless to protect VDI access to virtual desktops.
Use Keyless to protect RDP access to Windows workstations.
You can use a direct RDP connection to remotely access a Windows computer or the server and authenticate with your mobile app.
How to configure Keyless authentication for VMware UAG with RADIUS.
Prerequisites
Install and configure the Keyless RADIUS extension.
Make sure you have the Shared Secret that was configured for the RADIUS extension.
Under the "Authentication Settings" menu in the VMware UAG client, click on the gear icon next to "RADIUS" :
Make sure that RADIUS is enabled:
Configure the RADIUS parameters as shown below:
Example Configuration:
Field
Value
Authentication Type
PAP
Shared Secret
Provide the Shared Secret value that has been set in the Keyless RADIUS Connector.
RADIUS Server Host name
The configured RADIUS Connector server IP address.
Realm Prefix
Your Domain prefix (i.e. contoso )
Realm suffix
Your Domain suffix (i.e. contoso.local )
Name Id Suffix
Your Domain suffix (i.e. contoso.local ) [ this one is sent to Horizon]
Login page passphrase hint
"Please check your Keyless app on your phone."
How to configure Keyless authentication for RDP access.
Keyless authentication will be used for RDP sessions into all workstations that have the Keyless the Workforce Access Client installed. Please see "Windows Login" page for installation details.
Keyless authentication will be used only for users that are not excluded from Keyless for the specific workstation.
Using the Remote Desktop Protocol application on your workstation or via the command line, initiate an RDP session for a Keyless-enabled user to a Keyless-enabled workstation:
Once connected, you will be prompted with a message to authenticate on your mobile device.
Authenticate on your device:
Access the workstation:
This page displays all logs for all user operations at a glance.
It consist of three sections:
Time and date filter Changing the timeframe in this filter will impact the log data shown below in the widgets and table sections. As you change the values in the “From” and “To” fields, data shown below in widgets and the table will reflect your new chosen timeframe.
On the right hand side, there is a "Reset" button. Clicking this button will reset the time and date values to initial ones.
Widgets
Percentage of successful authentications Shows all of the authentication attempts for the selected time period, split into successful and failed authentication attempts
Percentage of successful enrolments Shows all of the enrolment attempts for the selected time period, split into successful and failed enrolment attempts
Top 5 reasons for authentication failures Shows the error codes for most frequent authentication errors from all failed authentication attempts for the selected time period
Table with granular system information separated in tabs per type
Authentications
Enrollments
De-enrollments
Under the widget section, on the right hand side there is a button to “Download CSV” with all of the table data in the selected timeframe, displayed in CSV format.
When you visit the portal page https://admin.keyless.io, you will land on the login page. Here you should input your username and password combination, then click "Submit" to login.
If the username/password combination is not correct, you will not be able to login. In case you forget your credentials, please reach out to Keyless Customer Support.
Upon logging in to the portal, you will land on the Overview page. On the top of the page, you will see various information about your biometric authentication system:
System status Shows any overall system health, flags issues in Keyless internal system
Updated at When was the last time the data on the page was updated
Several widgets are available for you to analyse the usage of how your biometric authentication system is being used:
Total Users Seen All-time Shows the number of users who have been enrolled into your system since you started using Keyless
Authentications All-time Shows the number of authentications within your system since you started using Keyless
Authentications in last 7 days Shows the total number of authentications in the last 7 days
Authentications in last 7 days, per day Shows the number of authentications in the last 7 days for each day with a trend line
Percentage of successful authentications in the last 7 days Shows all of the authentication attempts in the last 7 days, split into successful and failed authentication attempts
Top 5 users by number of authentications Shows the 5 users with most authentications in yout system in the last 7 days
Enrolments in the last 7 days, per day Shows the number of enrolments in the last 7 days for each day with a trend line
Device distribution Shows the number of users using different OS in your system, per OS used
his page shows you the overview of all the users which have been enrolled in your system.
It consists of three sections:
Search bar
You can use the search bar to find a specific user by typing in their username. Clicking "Search" will take you to individual user page of that specific user.
Widgets
Top 5 users with most authentications in the last 7 days Identifies the user which have been most active (largest number of authentication attempts recorded) in the last 7 days
Enrolments in the last 7 days Shows the number of user enrolments in the last 7 days for each day with a trend line
Top 5 devices with most users Identifies the devices which have the highest number of users authenticating over a single device
Users Table
Here you will see the username, time of the authentication and authentication outcome. On the right hand side, there is a button to “Download CSV” with all of the data in the CSV format.
When you search for a specific user, you will land on that user's individual page. This page provides all of the relevant information per user selected.
On the top of the page there is a search bar which enables you to search for another user.
Below the search bar on the right hand side, there is a button to "Unlink Device". Clicking this button will de-enroll this user, after confirming the action in the pop-up.
Below this section there is a time and date filter as well as a log table with granular information separated by type. This is a similar data to what you can find on the System Log page, although on this page the data is filtered per specific user.
Time and date filter Changing the timeframe in this filter will impact the log data shown below in the table section. As you change the values in the “From” and “To” fields, data shown below will reflect your new chosen timeframe.
Table with granular system information separated in tabs per type
Authentications
Enrollments
De-enrollments
Enable Keyless passwordless biometric authentication to Salesforce.
Keyless passwordless biometric authentication can address any MFA requirement to authenticate to Salesforce Portal.
This guide provides a step-by-step introduction to configure Salesforce Portal to authenticate using Keyless passwordless biometric authentication. In this guide Keyless will be set up as an authentication provider to Salesforce at a high assurance level to address any MFA requirements. Also we'll configure Keyless enrolment fetaures to provide the ability for Salesforce users to register/enrol for Keyless authentication.
Following is a short video to showcase Keyless authentication experience to Salesforce.
In order to enable your users to authenticate into Salesforce portal/dashboard via Keyless you’ll need to configure Keyless as an authentication provider in Salesforce.
As part of the onboarding process you’ll receive the following pieces of information from Keyless to complete an authentication provider configuration in Salesforce:
All configuration steps outlined below need to be performed on Salesforce portal with administrative privileges.
Create an OIDC Auth Provider
Identity → Auth Providers → New
Select Open Id Connect as provider type
Populate the configuration parameters from the information provided by Keyless team to complete Auth provider configuaration as shown below
Make a note of the URLs under Salesforce Configuration section
Callback URL: Need to be provided to Keyless team to complete authentication provider configuration on Keyless end
Existing User Linking URL: Use this URL to link existing Salesforce users to their respective Keyless account
Following is a sample Registration handler code
Update Domain Configuration to Enable Keyless Authentication Option on Logon Page
Company Settings → My Domain
Edit Authentication Configuration
Enable Keyless
Configure Keyless as High Assurance authentication mechanism
Keyless authentication is now enabled
To enable enrolment of Salesforce users with Keyless we’ll need to configure Salesforce as an OIDC Identity Provider and Keyless as OIDC Relying Party/ Service Provider. Parameters required to create the client/connected application on Salesforce are provided in your Keyless onboarding package. Once the application is configured you’ll need to send some configuration information back to Keyless to complete the configuration on Keyless end.
Following are the pieces of information from Keyless required to configure Salesforce Connected Application:
We’ll configure SFDC as a OIDC IdP and Keyless as OIDC RP
On Salesforce go to Settings → Identity → Identity Provider and enable Identity Provider and save
Make a note of the Issuer URL: Issuer URL needs to be sent to Keyless to configure Keyless enrolment server.
Click on Service Provider link at the bottom to create a Connected App/ Service Provider
Check Enable OAuth Settings to configure OAuth/OIDC parameters
Enter the callback URLs of Keyless Enrolment Server (these are Login/Redirect URL, Post Logout Redirect URL & Keyless Enrolment URL as described in the table at the beginning of this section)
Click Save
Make a note of the Client ID & Client Secret (for Keyless OIDC RP, these two parameters need to be sent back to Keyless for configuration of the Keyless enrolment server)
Click New to add a Custom Attribute
This completes configuration on Salesforce end the following table is a summary of the 3-pieces of information that Keyless team will need to complete configuration of Keyless Enrolment service:
Once we have completed the steps above, we are now in a position to step though the entire process of enrolling a user to Keyless and then continue with Keyless authentication going forward.
Prerequisite is to have a compatible mobile (android/iOS) device with Keyless Authenticator App installed: Installation instructions are located here https://docs.keyless.io/userguide/install-mobile-app
Create a new Salesforce user from SFDC dashboard (e.g. demouser@myorg-demo.com)
Enrol the newly created user to Keyless (if this account is not enrolled already)
From a web browser go to Keyless Enrol Site: https://<<your-keylelss-registration-URL>> (provided by Keyless team)
Authenticate to SFDC Portal with Userid/Password (following redirect from Keyless Enrolment page)
Click on Enrol link & Scan the QR Code using Keyless Authenticator App on you mobile device
Complete the registration process on your mobile device as guided by Keyless Authenticator App
Registered account will appear on Keyless Authenticator App on the mobile device
Log out from Salesforce browser session and this completes Keyless enrolment
Link Salesforce User to his/her registered Keyless account
Log on to SFDC with account linking URL
Account Linking URL can be found on Salesforce Setup -> Auth Provider -> Salesforce Configuration section which will look like the following: https://<your-salesforce-tenant>.my.salesforce.com/services/auth/link/keyless
Authenticate with Keyless via Keyless Authenticator App on your mobile device
After a successful authentication with Keyless Salesforce portal will prompt you to Sign In with userID and password to link an SFDC user to the authenticated Keyless account
that completes the account linking between SFDC and Keyless account
From a browser access your Salesforce portal: https://<your-salesforce-tenant>.my.salesforce.com
Log on to SFDC
via Keyless: Click on SignIn with Keyless button as opposed to providing uid/password
Authenticate via Keyless Mobile Authenticator
That completes keyless authentication to SFDC
Paramater | Description | Example |
---|---|---|
Parameter | Description | Example |
---|---|---|
Parameter | Description | Example |
---|---|---|
Login Icon URI
Can be used as an logon icon for Keyless authentication on logon page
https://<your-keyless-tenant>/static/keyless.svg
Token Issuer
OIDC Issuer
https://<your-keyless-tenant>
Token Endpoint URL
Token OIDC Endpoint URL
https://<your-keyless-tenant>/connect/token
Authorize Endpoint URL
OIDC Authorization Endpoint URL
https://<your-keyless-tenant>/connect/authorize
User Info Endpoint URL
OIDC User Info Endpoint URL
https://<your-keyless-tenant>/connect/userinfo
Scope
OIDC Scope
openid profile email
Consumer Key
OIDC Client ID
-
Consumer Secret
OIDC Client Secret
-
Login /Redirect URL
OIDC RP Configuration
https://<your-keyless-enrolment-server>/signin-oidc
Post Logout Redirect URL
OIDC RP Configuration
https://<your-enrolment-server>/signout/callback
Keyless Enrolment URL
Keyless Enrolment server
https://<your-keyless-enrolment-server>
Issuer URL
OIDC IdP
https://<your-salesforce-tenant>.my.salesforce.com
Consumer Key
OIDC Client ID
-
Consumer Secret
OIDC Client Secret
-