PingID Administration Guide

Configuration for use with Entra ID-joined devices

PingID Windows Login - Passwordless makes it possible for users to sign on to their Windows computer without a password, using the PingID mobile app (version 1.15 or later) or a FIDO2 security key.

This topic describes how to set up PingID Windows Login - Passwordless in an Entra ID-only environment.

In an Entra ID-only environment, users must sign on to the client computer with their username and password at least once before using the passwordless solution. This is required to fetch the user’s security identifier from the registry for passwordless login. If the user’s password is changed later, it doesn’t affect passwordless login.

Before you begin

Before you begin, review the main steps to set up PingID Windows Login - Passwordless in an Entra ID environment:

  1. Review system requirements and prerequisites.

  2. Create a PingOne environment and connect it to your PingID account.

  3. Create users in PingOne.

  4. Configuring identity store provisioners.

    • Federated authentication isn’t supported for the Entra ID sign-on flow.

    • Attributes still need to be mapped in the identity store for the users to authenticate.

  5. Create an issuance certificate in PingOne.

  6. Create an authentication policy in PingOne.

  7. Create and configure a passwordless Windows login application in PingOne.

  8. Enable certificate-based authentication in Entra ID.

  9. Install the Windows Login - Passwordless integration software on Windows client computers.

Enable certificate-based authentication in Entra ID

To configure Microsoft Entra ID certificate-based authentication (CBA) for use with the PingID Windows Login - Passwordless solution, upload the issuing certificate authority, enable CBA, and configure authentication binding and username binding rules to Microsoft Entra ID. These settings define the authentication strength and how Entra ID maps and validates the user’s certificate.

  1. In the Microsoft Entra admin center, go to Entra ID > Authentication methods > Policies.

  2. On the Policies page, click Certificate-based authentication.

  3. On the Enable and Target tab, select Enable then I acknowledge.

    1. Select Include and target All users or Specific groups.

    2. Click Save.

  4. On the Configure tab:

    1. Set Protection Level to Single-factor authentication.

    2. Set Required Affinity Binding to Low.

    3. In Authentication binding, click Add Rule.

      1. In Certificate Attribute select Certificate issue and set Certificate issuer to the root certificate authority from the list.

      2. Set Authentication Strength to Single-factor authentication.

      3. Set Affinity binding to Low.

      4. Click Add then I acknowledge to save the rule.

    4. In Username binding, configure the following username bindings by clicking each certificate field name and setting each Affinity binding and User attribute as follows. Then click Add to save each rule:

      Certificate field Affinity binding User Attribute

      PrincipalName

      Low

      userPrincipalName

      Issuer and serial number

      High

      CertificateUserIDs

      SKI

      High

      CertificateUserIDs

      RFC822Name

      High

      userPrincipalName

    5. Click Save.