PingOne

Suppressing the Local Network Access prompt for PingID desktop authentication

Overview

Security updates in Chromium-based browsers (specifically Google Chrome version 142 and Microsoft Edge version 143) introduced a new permission layer known as Local Network Access (LNA).

This security feature prevents public websites from communicating with local devices or services (such as the PingID desktop application running on localhost) without explicit permission. Unless configured otherwise, users will see a popup on their browser prompting them for approval each time they authenticate with PingID desktop app

To ensure a seamless, passwordless experience, you can configure the browser policies to add the PingOne authentication URLs to the allow list. This preapproves those URLs and eliminates the need for user interaction during the handshake between the browser and the PingID desktop client.

Use cases

This procedure varies slightly depending on the browser used. The following examples show how to add the necessary PingOne origins to the allow list for the most commonly used browsers.

Windows machines

The following examples show how to use Group Policy (GPO) for Windows to add the necessary PingOne URls to the allow list for Google Chrome and Microsoft Edge.

Google Chrome

  1. Download and install the latest Google Chrome Administrative (ADMX) Templates.

  2. On your Group Policy management server, run the following command:

    gpmc.msc

  3. Navigate to the relevant Group Policy Object (GPO) or create a new one.

  4. Go to Computer Configuration > Policies > Administrative Templates > Google Chrome > Local Network Access settings.

  5. Double-click the Allow sites to make requests to local network endpoints policy.

  6. Click Enabled, and then under Options click Show…​.

  7. In the Show Contents modal, add the PingOne authentication URLs for all relevant regions (for example, https://auth.pingone.com, https://auth.pingone.eu), and then apply the changes.

    This adds the public URL that initiates the request, not the local application.

  8. Push the policy to all Windows user machines.

Microsoft Edge

  1. Download and install the latest Microsoft Edge Administrative (ADMX) Templates.

  2. On your Group Policy management server, run the following command:

    gpmc.msc

  3. Navigate to the relevant GPO, or create a new one.

  4. Go to Computer Configuration > Policies > Administrative Templates > Microsoft Edge > Network settings.

  5. Double-click the Allow sites to make requests to local network endpoints policy.

  6. Click Enabled, and then under Options click Show…​.

  7. In the Show Contents modal, add the PingOne authentication URLs for all relevant regions (for example, https://auth.pingone.com, https://auth.pingone.eu), and then apply the changes.

    This adds the public URL that initiates the request, not the local application.

  8. Push the policy to all Windows user machines.

Mac machines

The following examples show how to add the necessary PingOne origins to the allow list for Google Chrome or Microsoft Edge by providing the necessary approvals in the browser or pushing an MDM policy.

Google Chrome

You can enable access through either:

  • An MDM-pushed Chrome policy for macOS

    To deploy the Chrome policy using traditional MDM tools (for example Jamf or Intune), use the following XML payload snippet. Deploy this as an Application & Custom Settings payload using the preference domain com.google.Chrome. This policy adds your Ping domains for local network access to the allow list.

    Example XML Payload for MDM
    <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>LocalNetworkAccessRestrictionsEnabled</key>
    <true/>
    <key>LocalNetworkAccessAllowedForUrls</key>
    <array>
      <string>[*.]pingone.com</string>
      <string>[*.]yourdomain.com</string>
    </array>
  </dict>
</plist>

  • A Google Workspace-managed Chrome policy.

    If you manage Chrome using the Google Admin console, in the Google Admin console, go to Devices > Chrome > Settings > User & browser settings > Custom Chrome Policy and apply the following JSON configuration:

    Example JSON Payload for Google Workspace
    {
  "LocalNetworkAccessAllowedForUrls": [
    "[*.]pingone.com",
    "[*.]yourdomain.com"
  ],
  "LocalNetworkAccessRestrictionsEnabled": true
}

  • Manual user approval in Google Chrome.

    Users can manually allow access when prompted by the browser for local network permissions.

Microsoft Edge

You can enable access through an MDM-pushed Edge policy for macOS.

To deploy the Edge policy using traditional MDM tools (for example, Jamf or Intune), use the following XML payload snippet. Deploy this as an Application & Custom Settings payload using the preference domain com.microsoft.Edge. This policy adds your Ping Identity domains for local network access to the allow list.

+

Example XML Payload for MDM
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>LocalNetworkAccessRestrictionsEnabled</key>
    <true/>
    <key>LocalNetworkAccessAllowedForUrls</key>
    <array>
      <string>[*.]pingone.com</string>
      <string>[*.]yourdomain.com</string>
    </array>
  </dict>
</plist>