---
title: (Legacy) Configuring a PingFederate policy for passwordless authentication with FIDO biometrics
description: For admins running PingFederate 13.0.0 or later with the PingID integration kit 2.30 and later, you can benefit from a more consistent passwordless authentication experience.
component: pingid
page_id: pingid:pingid_integrations:pid_configuring_pf_policy_for_passwordless_authentication_fido_biometrics
canonical_url: http://docs.pingidentity.com/pingid/pingid_integrations/pid_configuring_pf_policy_for_passwordless_authentication_fido_biometrics.html
revdate: April 18, 2024
section_ids:
  before-you-begin: Before you begin
  about-this-task: About this task
  steps: Steps
---

# (Legacy) Configuring a PingFederate policy for passwordless authentication with FIDO biometrics

|   |                                                                                                                                                                                                                                                                                                                                                          |
| - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | For admins running PingFederate 13.0.0 or later with the PingID integration kit 2.30 and later, you can benefit from a more consistent passwordless authentication experience.Learn more in [Configuring a PingFederate policy for a consistent passwordless authentication experience](pid_configuring_pf_policy_for_passwordless_authentication.html). |

Configure a PingFederate policy for passwordless authentication with FIDO biometrics.

## Before you begin

Before configuring PingID for passwordless authentication, make sure you:

* Install the [PingID Integration Kit](installing_the_pid_i_for_pf.html) 2.7 or later.

* Download the [PingID properties file](pid_pf.html).

* Configure an [HTML Form Adapter](https://support.pingidentity.com/s/document-item?bundleId=pingfederate-93\&topicId=xvy1564003022890.html) instance.

* [Configure a PingID Adapter](configuring_a_pid_adapter_instance.html) instance.

* (Optional) If you wish to configure the application name or application icon, do so in PingFederate. See [Identify the target application](http://docs.pingidentity.com/pingfederate/12.3/administrators_reference_guide/pf_identifying_target_application.html).

* Review the [(Legacy) FIDO2 biometrics authentication requirements and limitations](../pingid_service_management/fido2_biometrics_auth_requirements_and_limitations.html).

## About this task

To use PingID as a passwordless authentication solution for federated single sign-on (SSO) with PingFederate, in PingFederate you'll need to:

* Create an authentication policy contract.

* Create a local identity profile and associate it with the HTML Form Adapter instance.

* Create an authentication policy.

## Steps

1. In PingFederate, create an authentication policy contract: (see also [Policy Contracts](https://support.pingidentity.com/s/document-item?bundleId=pingfederate-93\&topicId=aat1564002989773.html)).

   1. In the **Identity Provider** tab, under **AUTHENTICATION POLICIES** area, click **Policy Contracts**.

   2. Click **Create New Contract**.

   3. In the**Contract Name** field, enter a name for the policy contract and click **Next**.

   4. In the **Contract Attributes** tab, for each attribute you want to add, in the **Extend the Contract** area, type the name of the attribute and then click **Add**. For a list of PingID attributes, see [PingID authentication attributes](pid_authentication_attributes.html).

   5. Click **Next**, and then click **Done**.

2. Create a local identity profile for passwordless authentication:

   1. In the **Identity Provider** tab, click **Identity Profiles** and then click**Create New Profile**.

   2. In the **Profile Info** tab, enter the following information, and then click **Next**:

      * **Local Identity Profile Name**: Enter a meaningful name for the profile.

      * **Authentication Policy Contract**: Select your policy contract.

   3. In the**Authentication Sources** tab, in the **Authentication Source** field, enter **FIDO** as the name of your authentication source, click **Add**, and then click **Next**.

   4. Click **Done**, and then click **Save**. The local identity profile is saved.

3. In the **Identity Provider** tab, associate the HTML Form Adapter instance with the local identity profile:

   1. Click **Adapters**.

   2. Click the**HTML Form Adapter** and then click the **IdP Adapter** tab.

   3. Scroll down, and in the **Local Identity Profile** field, select the local identity profile that you created. Then click **Done**, and **Save**.

4. Create a PingFederate authentication policy for passwordless authentication. (See also [Policies](http://docs.pingidentity.com/pingfederate/12.3/administrators_reference_guide/qmq1564002987890.html).)

   1. In the **Identity Provider** tab, under **Authentication Policies**, click **Policies**.

   2. In the **Policies** tab, ensure the **IdP Authentication Policies** checkbox is selected, and then click **Add Policy**.

   3. In the **Name** field, enter a meaningful name for the authentication policy.

   4. In the **Policy** dropdown, select **IdP Adapters**, and then select the **HTML Form Adapter**. A branch for the **HTML Form Adapter** is added to the PingFederate policy tree, and **FAIL**/**SUCCESS** fields are added.

   5. Directly under the **HTML Form Adapter** field, click **Rules**. In the **Rules** popup window, enter the following information, and then click **Done**:

      * **Attribute Name**: Select **policy.action**.

      * **Condition**: Select **equal to**.

      * **Value**: Enter **FIDO** as your authentication source.

      * **Result**: Enter **FIDO** as your authentication source.

      * **Default to success**: Ensure the checkbox is selected.

   6. In the **HTML Form Adapter** branch **FAIL** field, click **Done**.

   7. In the **HTML Form Adapter** branch **SUCCESS** field dropdown list, select the action that you want to apply and configure it appropriately. For example:

      * If configuring the PingID Adapter (recommended), do the following:

        1. In the **SUCCESS** branch dropdown list, select **IdP Adapters**, and then select **PingID Adapter**. **SUCCESS**/**FAIL** fields are added to the branch.

        2. Under the PingID Adapter **FAIL** field, click **Done**.

        3. In the PingID Adapter **SUCCESS** field, select the local identity profile you created earlier.

        4. Under the local identity profile, click **Local Identity Mapping** and complete the relevant mapping. (See also [Configuring contract mapping](http://docs.pingidentity.com/pingfederate/12.3/administrators_reference_guide/pf_configuring_contract_mapping.html).)

           |   |                                                                                                                                                                   |
           | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- |
           |   | For a list of attributes that can be used upon successful authentication with PingID, see [PingID authentication attributes](pid_authentication_attributes.html). |

        5. Under the **PingID Adapter** entry, click **Options** and specify the following fields:

           * **Source**: HTML Form Adapter

           * **Attribute**: Username

      * If configuring a local identity profile:

        1. In the **SUCCESS** branch dropdown list, select the **Local Identity Profiles**, and then select the local identity profile that you created earlier.

        2. Directly under the **HTML Form Adapter** branch **SUCCESS** field, click **Local Identity Mapping**, complete the relevant mapping from your source to the local identity contract (see [Configuring local identity mapping](https://support.pingidentity.com/s/document-item?bundleId=pingfederate-93\&topicId=waw1564002988686.html)) and click **Done**.

           The **FIDO** policy branch is added to the policy tree.

   8. In the **FIDO** branch:

      1. In the dropdown list, select **IdP Adapters**, and then select the **PingID Adapter**. **SUCCESS**/**FAIL** fields are added.

      2. In the **FAIL** field, click **Done**.

      3. In the **SUCCESS** field dropdown list, select the endpoint you require. For example:

         * **Policy Contracts**: Select the policy contract you created earlier and complete the relevant mapping. (See [Policy Contracts](https://support.pingidentity.com/s/document-item?bundleId=pingfederate-93\&topicId=aat1564002989773.html).)

         * **Local Identity Profiles**: Select the Local Identity profile you created earlier and then complete the relevant mapping. (See [Configuring local identity mapping](https://support.pingidentity.com/s/document-item?bundleId=pingfederate-93\&topicId=waw1564002988686.html).)

5. Save the PingFederate policy.

6. Add any further configurations, for example:

   * Browser SSO: [Configure IdP Browser SSO](https://support.pingidentity.com/s/document-item?bundleId=pingfederate-93\&topicId=ikb1564003000542.html)

   * OAuth: [OAuth configuration](https://support.pingidentity.com/s/document-item?bundleId=pingfederate-93\&topicId=zlc1564002990614.html)

7. To complete the passwordless configuration, see [(Legacy) Configuring FIDO2 passwordless authentication](../pingid_service_management/pid_configuring_fido2_passwordless_auth.html).