PingID Administration Guide

Windows and Mac login

The Windows and Mac login PingID properties file provides a limited subset of permissions that enable users to perform Windows or Mac login authentication while preventing them from performing management actions, such as enrollment and device management.

About this task

The PingID Windows and Mac login properties file contains sensitive information, including the secret encryption key. It should only be handled by administrators and should not be distributed more than is necessary.

The outcome of a login attempt by this user can differ if Windows or Mac login was installed with full permissions as opposed to restricted permissions.

Under full permissions, if valid user john.smith creates a new user, joe.blogs, on his Mac and then uses it to login, he is offered a QR code or one-time passcode (OTP) on his registered second factor device and PingID will create a new user named joe.blogs. The full permissions case both registers and provides access to logins. In the restricted permissions case, attempting to log-in as joe.blogs fails with an error message. The restricted permissions case provides access only.

To avoid ad hoc registrations, the admin should always install the login using the restricted permissions properties file.

To download the PingID properties file to integrate with Windows login or Mac login:

Steps

  1. In the PingOne admin portal, go to Setup → PingID → Client Integration.

    Result:

    The Integrate With Windows and Mac Login section is displayed.

    Client Integration tab, Integrate with Windows and Mac login section, showing the options to download, revoke, or generate a PingID properties file with reduced permissions for use with Windows and Mac login.

  2. To generate a new Windows or Mac login PingID properties file, click Generate, and then click Save.

    You can have a maximum of five active PingID properties files. If you have five active files and want to generate a new one, you must first revoke one of your existing files.

    Result:

    A new entry is added to the Properties file list showing the new PingID properties file.

  3. Select the Enable Device Management option if you want to allow users to manage their devices from their Devices page and allow users to register their device the first time they try to access a resource that requires authentication ("on-the-fly registration"). When this option is selected, these features will be available to any user that uses that copy of the PingID properties file when installing the integration with Windows login.

    To carry out on-the-fly registration of FIDO2 security keys, users must have installed version 2.11 or higher of the integration with Windows login.

  4. In the relevant row, click Download, and then save the file to the desired location using a meaningful name.