--- title: (Legacy) Configuring a PingFederate policy for passwordless authentication with FIDO2 passkeys description: For admins running PingFederate 13.0.0 or later with the PingID integration kit 2.30 and later, you can benefit from a more consistent passwordless authentication experience. Learn more in Configuring a PingFederate policy for a consistent passwordless authentication experience. component: pingid page_id: pingid:pingid_integrations:pid_configuring_pf_policy_for_passwordless_authentication_fido2_passkeys canonical_url: http://docs.pingidentity.com/pingid/pingid_integrations/pid_configuring_pf_policy_for_passwordless_authentication_fido2_passkeys.html revdate: May 26, 2024 section_ids: before-you-begin: Before you begin about-this-task: About this task steps: Steps --- # (Legacy) Configuring a PingFederate policy for passwordless authentication with FIDO2 passkeys | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | For admins running PingFederate 13.0.0 or later with the PingID integration kit 2.30 and later, you can benefit from a more consistent passwordless authentication experience. Learn more in [Configuring a PingFederate policy for a consistent passwordless authentication experience](pid_configuring_pf_policy_for_passwordless_authentication.html). | Configure a PingFederate policy for passwordless authentication with FIDO2 passkeys. ## Before you begin Before configuring PingID for passwordless authentication, make sure you: * Install the [PingID Integration Kit](installing_the_pid_i_for_pf.html) 2.7 or later. * Download the [PingID properties file](pid_pf.html). * Configure an [HTML Form Adapter](http://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_config_html_form_adapt_instance.html) instance. * [Configure a PingID Adapter](configuring_a_pid_adapter_instance.html) instance. * (Optional) If you want to configure the application name or application icon, do so in PingFederate. Learn more in [Identify the target application](http://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_identifying_target_application.html). * Review the [FIDO2 authentication requirements and limitations](../pingid_service_management/fido2_auth_requirements_and_limitations.html). | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The default policy's handling of null chain attributes optimizes the user authentication process by avoiding redundant LDAP queries and continuing straight to the PPM request stage. Therefore, the use of chained attributes isn't permitted. | ## About this task To use PingID as a passwordless authentication solution for federated single sign-on (SSO) with PingFederate, in PingFederate you'll need to: * Create an authentication policy contract. * Create a local identity profile and associate it with the HTML Form Adapter instance. * Create an authentication policy. ## Steps 1. Create a PingFederate authentication policy for passwordless authentication using a security key: (learn more in [Policies](http://docs.pingidentity.com/pingfederate/12.3/administrators_reference_guide/qmq1564002987890.html)). 1. Go to Policies: * PingFederate 10.1 and later: Click **Authentication**, and then click **Policies**. * PingFederate 10 and earlier: In the**Identity Provider** tab, under **Authentication Policies**, click **Policies**. 2. In the **Policies** tab, ensure the **IdP Authentication Policies** checkbox is selected, and then click **Add Policy**. 3. In the **Name** field, enter a meaningful name for the authentication policy. 4. In the **Policy** list, select **IdP Adapters** and then select the **HTML Form Adapter**. A branch for the **HTML Form Adapter** is added to the PingFederate policy tree, and **FAIL**/**SUCCESS** fields are added. 5. Directly under the **HTML Form Adapter** field, click **Rules** and in the **Rules** modal, enter the following information, and then click **Done**: * **Attribute Name**: Select **policy.action**. * **Condition**: Select **equal to (case insensitive)**. * **Value**: Type **Security Key** as your authentication source. * **Result**: Type **Security Key** as your authentication source. * Select the **Default to success** checkbox. A Security Key branch is added to the PingFederate policy tree. 6. In the **HTML Form Adapter** branch **FAIL** field, click **Done**. 7. In the **HTML Form Adapter** branch **Security Key** field list, select **IdP Adapters**, and then select the PingID Adapter. **SUCCESS** and **FAIL** fields are added to the Security Key branch. 1. Under the Security Key branch **FAIL** field, click **Done**. 2. In the Security branch **SUCCESS** field list, select the endpoint you require. For example: * **Policy Contracts**: Select the policy contract you created earlier and complete the relevant mapping (learn more in [Configuring contract mapping](http://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_configuring_contract_mapping.html)). * **Local Identity Profiles**: Select the Local Identity Profile you created earlier and then complete the relevant mapping (learn more in [Configuring local identity mapping](http://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_configuring_local_identity_mapping.html)). 8. In the **HTML Form Adapter** branch **SUCCESS** field list, select the action that you want to apply and configure it appropriately. For example: * If configuring the PingID Adapter (recommended), do the following: 1. In the **SUCCESS** branch list, select **IdP Adapters** and then select**PingID Adapter**. **SUCCESS** and **FAIL** fields are added to the branch. 2. Under the PingID Adapter **FAIL** field, click **Done**. 3. In the PingID Adapter **SUCCESS** field, select the local identity profile you created earlier. 4. Under the local identity profile click **Local Identity Mapping** and complete the relevant mapping with the PingID Adapter (learn more in [Configuring contract mapping](http://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_configuring_contract_mapping.html)). | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | You can find a list of attributes that can be used upon successful authentication with PingID in [PingID authentication attributes](pid_authentication_attributes.html). | 5. Under the **PingID Adapter** entry, click **Options** and specify the following fields: * **Source**: HTML Form Adapter * **Attribute**: Username * Make sure the **User ID Authenticated** checkbox is selected. * If configuring a local identity profile: 1. In the **SUCCESS** branch list, select the **Local Identity Profiles**, and then select the local identity profile that you created earlier. 2. Directly under the **HTML Form Adapter** branch **SUCCESS** field click **Local Identity Mapping**, complete the relevant mapping from your source to the local identity contract, (learn more in [Configuring local identity mapping](http://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_configuring_local_identity_mapping.html)), and then click **Done**. 2. Save the PingFederate policy. 3. Add any further configurations, for example: * Browser SSO: [Configure IdP Browser SSO](http://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/help_spconnectionconfigtasklet_spbrowserssostate.html). * OAuth: [OAuth configuration](http://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_oauth_config.html).