Configuring a PingFederate policy for passwordless authentication with FIDO2 passkeys
Configure a include::ROOT:partial$pid_p1refs_pf.adoc[tags=PFed]policy for passwordless authentication with FIDO2 passkeys.
Before you begin
Before configuring PingID for passwordless authentication, make sure you:
-
Install the PingID Integration Kit 2.7 or later.
-
Download the PingID properties file.
-
Configure an HTML form adapter instance.
-
Configure a PingID Adapter instance.
-
(Optional) If you wish to configure the application name or application icon, do so in PingFederate. See Identify the target application.
-
Review the FIDO2 authentication requirements and limitations.
About this task
To use PingID as a passwordless authentication solution for federated single sign-on (SSO) with PingFederate, in PingFederate you’ll need to:
-
Create an authentication policy contract.
-
Create a local identity profile and associate it with the HTML Form Adapter instance.
-
Create an authentication policy.
Steps
-
Create a PingFederate authentication policy for passwordless authentication using a security key: (see also Policies).
-
Go to Policies:
-
PingFederate 10.1 and higher: Click Authentication, and then click Policies.
-
PingFederate 10 and lower: In theIdentity Provider tab, under Authentication Policies, click Policies.
-
-
In the Policies tab, ensure theIdP Authentication Policies check box is selected, and then click Add Policy.
-
In the Name field, enter a meaningful name for the authentication policy.
-
In the Policy dropdown, select IdP Adapters and then select theHTML Form Adapter. A branch for the HTML form Adapter is added to the PingFederate policy tree, and FAIL/SUCCESS fields are added.
-
Directly under the HTML form Adapter field, click Rules and in the Rules popup window enter the following information, and then click Done:
-
Attribute Name: Selectpolicy.action.
-
Condition: Select equal to (case insensitive).
-
Value: Type Security Key as your authentication source.
-
Result: Type Security Key as your authentication source.
-
Select the Default to success check box.
A Security Key branch is added to the PingFederate policy tree.
-
-
In the HTML Form Adapter branch FAIL field, click Done.
-
In the HTML Form Adapter branch Security Key field dropdown list, selectIdP Adapters, and then select the PingID Adapter. SUCCESS and FAIL fields are added to the Security Key branch.
-
Under the Security Key branch FAIL field, click Done.
-
In the Security branch SUCCESS field dropdown list select the endpoint you require. For example:
-
Policy Contracts: Select the policy contract you created earlier and complete the relevant mapping (see Configuring contract mapping).
-
Local Identity Profiles: Select the Local Identity Profile you created earlier and then complete the relevant mapping (see Configuring local identity mapping).
-
-
-
In the HTML Form Adapter branch SUCCESS field dropdown list, select the action that you want to apply and configure it appropriately. For example:
-
If configuring the PingID Adapter (recommended), do the following:
-
In the SUCCESS branch dropdown list, selectIdP Adapters and then selectPingID Adapter. SUCCESS and FAIL fields are added to the branch.
-
Under the PingID Adapter FAIL field, click Done.
-
In the PingID Adapter SUCCESS field, select the local identity profile you created earlier.
-
Under the local identity profile click Local Identity Mapping and complete the relevant mapping with the PingID Adapter (see also Configuring contract mapping).
For a list of attributes that can be used upon successful authentication with PingID, see PingID authentication attributes.
-
Under the PingID Adapter entry, click Options and specify the following fields:
-
Source: HTML Form Adapter
-
Attribute: Username
-
Make sure the User ID Authenticated check box is selected.
-
-
-
If configuring a local identity profile:
-
In the SUCCESS branch dropdown list, select the Local Identity Profiles, and then select the local identity profile that you created earlier.
-
Directly under theHTML Form Adapter branch SUCCESS field click Local Identity Mapping, complete the relevant mapping from your source to the local identity contract, (see Configuring local identity mapping), and then click Done.
-
-
-
-
Save the PingFederate policy.
-
Add any further configurations, for example:
-
Browser SSO: Configure IdP Browser SSO.
-
OAuth: OAuth configuration.
-