PingID Administration Guide

(Legacy) Configuring a PingFederate policy for passwordless authentication with FIDO2 passkeys

For admins running PingFederate 13.0.0 or later with the PingID integration kit 2.30 and later, you can benefit from a more consistent passwordless authentication experience. Learn more in Configuring a PingFederate policy for a consistent passwordless authentication experience.

Configure a PingFederate policy for passwordless authentication with FIDO2 passkeys.

Before you begin

Before configuring PingID for passwordless authentication, make sure you:

The default policy’s handling of null chain attributes optimizes the user authentication process by avoiding redundant LDAP queries and continuing straight to the PPM request stage. Therefore, the use of chained attributes isn’t permitted.

About this task

To use PingID as a passwordless authentication solution for federated single sign-on (SSO) with PingFederate, in PingFederate you’ll need to:

  • Create an authentication policy contract.

  • Create a local identity profile and associate it with the HTML Form Adapter instance.

  • Create an authentication policy.

Steps

  1. Create a PingFederate authentication policy for passwordless authentication using a security key: (learn more in Policies).

    1. Go to Policies:

      • PingFederate 10.1 and later: Click Authentication, and then click Policies.

      • PingFederate 10 and earlier: In theIdentity Provider tab, under Authentication Policies, click Policies.

    2. In the Policies tab, ensure the IdP Authentication Policies checkbox is selected, and then click Add Policy.

    3. In the Name field, enter a meaningful name for the authentication policy.

    4. In the Policy list, select IdP Adapters and then select the HTML Form Adapter. A branch for the HTML Form Adapter is added to the PingFederate policy tree, and FAIL/SUCCESS fields are added.

    5. Directly under the HTML Form Adapter field, click Rules and in the Rules modal, enter the following information, and then click Done:

      • Attribute Name: Select policy.action.

      • Condition: Select equal to (case insensitive).

      • Value: Type Security Key as your authentication source.

      • Result: Type Security Key as your authentication source.

      • Select the Default to success checkbox.

        A Security Key branch is added to the PingFederate policy tree.

    6. In the HTML Form Adapter branch FAIL field, click Done.

    7. In the HTML Form Adapter branch Security Key field list, select IdP Adapters, and then select the PingID Adapter. SUCCESS and FAIL fields are added to the Security Key branch.

      1. Under the Security Key branch FAIL field, click Done.

      2. In the Security branch SUCCESS field list, select the endpoint you require. For example:

        • Policy Contracts: Select the policy contract you created earlier and complete the relevant mapping (learn more in Configuring contract mapping).

        • Local Identity Profiles: Select the Local Identity Profile you created earlier and then complete the relevant mapping (learn more in Configuring local identity mapping).

    8. In the HTML Form Adapter branch SUCCESS field list, select the action that you want to apply and configure it appropriately. For example:

      • If configuring the PingID Adapter (recommended), do the following:

        1. In the SUCCESS branch list, select IdP Adapters and then selectPingID Adapter. SUCCESS and FAIL fields are added to the branch.

        2. Under the PingID Adapter FAIL field, click Done.

        3. In the PingID Adapter SUCCESS field, select the local identity profile you created earlier.

        4. Under the local identity profile click Local Identity Mapping and complete the relevant mapping with the PingID Adapter (learn more in Configuring contract mapping).

          You can find a list of attributes that can be used upon successful authentication with PingID in PingID authentication attributes.

        5. Under the PingID Adapter entry, click Options and specify the following fields:

          • Source: HTML Form Adapter

          • Attribute: Username

          • Make sure the User ID Authenticated checkbox is selected.

      • If configuring a local identity profile:

        1. In the SUCCESS branch list, select the Local Identity Profiles, and then select the local identity profile that you created earlier.

        2. Directly under the HTML Form Adapter branch SUCCESS field click Local Identity Mapping, complete the relevant mapping from your source to the local identity contract, (learn more in Configuring local identity mapping), and then click Done.

  2. Save the PingFederate policy.

  3. Add any further configurations, for example: