The PingOne MFA Integration Kit supports FIDO usernameless authentication code flow if a local identity profile (LIP) has been configured. For more information on LIPs, see Configuring local identity profiles.
Process flow
- The PingOne MFA adapter invokes FIDO usernameless authentication flow if the adapter is invoked
using a
policy.action
attribute containing one of the following keywords:- biometrics
- TouchID
- FaceID
- FIDO
On the Authentication Sources tab of the Local Identity Profile page in the PingFederate administrative console, add the keyword that you want to use in the Authentication Source section. The following screen captures use the biometrics keyword as an example.
- In the PingFederate administrative
console, go to and open the authentication policy that you want to use. In the
Policy section, click Rules underneath the
html - (Adapter).
In the Rules window, configure the policy.action attribute for the keyword that you selected in step 1. In this example,
biometrics
. Set the Condition as equal to and input your selected keyword as both the Value and Result.
The adapter can be made to skip FIDO usernameless authentication flow and follow regular authentication flow by passing the ignore-fido-policy-action attribute through chained attributes with the value True. This forces the adapter to skip FIDO policy action and follow its regular authentication flow path.
The keywords that you configured now display as options in the Sign On window.
Authentication API flow
When authN API flow is invoked for the
useAlternativeAuthenticationSource
action for
biometrics, the adapter responds with the
BIOMETRIC_DEVICE_AUTHENTICATION_INFO_REQUIRED
state.
The application must provide its host name through origin
to
continue with biometric device authentication. This invokes biometric authentication flow
transitioning to the ASSERTION_REQUIRED
state requiring data from client to
complete biometric authentication.
{
"id": "NqMl7",
"pluginTypeId": "j_AGR1E__nc2USbRhZPMQQ",
"status": "ASSERTION_REQUIRED",
"devices": [],
"publicKeyCredentialRequestOptions": {
"challenge": [
69,
43,
-101,
-53,
-9,
63,
115,
-91,
-128,
-112,
53,
-68,
-95,
-69,
-10,
-41,
-33,
-24,
-91,
-21,
-70,
2,
-17,
54,
86,
92,
14,
110,
59,
-122,
-45,
-61
],
"timeout": 120000,
"rpId": "localhost.ping-eng.com",
"userVerification": "required",
"allowCredentials": []
},
"manualPairingPermitted": false,
"manualPairing": false,
"userSelectedDefault": false,
"changeDevicePermitted": false,
"_links": {
"cancelAuthentication": {
"href": "https://localhost.ping-eng.com:9031/pf-ws/authn/flows/NqMl7"
},
"self": {
"href": "https://localhost.ping-eng.com:9031/pf-ws/authn/flows/NqMl7"
},
"checkAssertion": {
"href": "https://localhost.ping-eng.com:9031/pf-ws/authn/flows/NqMl7"
}
}
}
Core contract attributes
At the end of successful authentication flow, the following core attributes are filled based on information found in a successful PingOne check assertion API response:
username
- (existing core attribute) - username
usernameless.flow.platform
- (new core attribute) - platform information
usernameless.flow.userid
- (new core attribute) - user ID
For example, for response below, the username
,
usernameless.flow.platform
and usernameless.flow.userid
attribute values are demouser
, MAC
, and
78fe678a-5ec0-49b3-bcd7-742523cb216a
, respectively.
{
"_links" : {
"self" : {
"href" : "https://auth.pingone.com/23c17a79-4972-4a46-871e-9b1121823917/deviceAuthentications/0326f203-950e-418c-9cdb-829c5a4a2586"
}
},
"_embedded" : {
"devices" : [ {
"id" : "00528f83-ae17-459a-838e-3f1226705a3a",
"type" : "PLATFORM",
"status" : "ACTIVE",
"rp" : {
"id" : "localhost.ping-eng.com",
"name" : "PingFederate"
},
"fidoRegistrationArtifacts" : {
"attestationType" : "SELF"
},
"platform" : "MAC",
"_embedded" : {
"webAuthnCredentials" : {
"credentialId" : "3mP-Uv1u_9i9cM025m9SKIqfMIz-TcDgRBJR_BP8xA2BxeN6Hmgzs-s8DKYZIXbDgioqrfoLCftUp0kzeFrvHT6hAGHoe2OFoLsrx_vuLsmmREyHqoZGWVsUxFEjNqo1eEhSpsTx5YnO54GQ4H6hMRAuutyWNnlj",
"userHandle" : "plAY2tGM7kS7coi2+0DPU6xk1A63DDr2TUuYBGVfCRE=",
"credentialPublicKey" : "pQECAyYgASFYIBI_xOdmnL_OEcewdD2abF30WCmt8KJlix_8WNPIuysPIlggNxYEbOiR8NlgIEkKvrbSaJKsokXmKxS_Nl3JwT_ctfE=",
"signCount" : 0
},
"user" : {
"id" : "78fe678a-5ec0-49b3-bcd7-742523cb216a",
"environment" : {
"id" : "23c17a79-4972-4a46-871e-9b1121823917"
},
"username" : "demouser",
"email" : "demouser@pingidentity.com",
"population" : {
"id" : "50756a1a-1b5d-49e2-b316-b3511fdc7a9f"
},
"name" : {
"given" : "demouser"
}
}
}
} ]
},
"id" : "0326f203-950e-418c-9cdb-829c5a4a2586",
"environment" : {
"id" : "23c17a79-4972-4a46-871e-9b1121823917"
},
"status" : "COMPLETED",
"policy" : {
"id" : "bc8d02b5-ba91-0fe1-195c-4cc8ea5a77a3"
},
"selectedDevice" : {
"id" : "00528f83-ae17-459a-838e-3f1226705a3a"
},
"user" : {
"id" : "78fe678a-5ec0-49b3-bcd7-742523cb216a"
},
"rp" : {
"id" : "localhost.ping-eng.com"
},
"publicKeyCredentialRequestOptions" : "{\"challenge\":[119,-85,-127,71,6,46,47,8,-58,-9,95,-94,77,-82,103,-98,87,11,-90,1,-69,-59,-33,78,-39,63,-55,-10,-101,77,-84,-126],\"timeout\":120000,\"rpId\":\"localhost.ping-eng.com\",\"allowCredentials\":[],\"userVerification\":\"required\"}",
"authenticators" : [ "mfa", "user" ],
"createdAt" : "2022-09-10T00:12:57.489Z",
"updatedAt" : "2022-09-10T00:13:02.418Z"
}