The PingOne MFA Integration Kit supports FIDO usernameless authentication code flow if a local identity profile (LIP) has been configured. For more information on LIPs, see Configuring local identity profiles.
Process flow
- The PingOne MFA adapter invokes FIDO usernameless authentication flow
if the adapter is invoked using a
policy.action
attribute containing the keyword biometrics. - Configure the appropriate policy action for biometrics to the PingOne MFA adapter. When the flow is invoked with this policy action, the adapter invokes FIDO usernameless authentication flow.
- Other policy action names that trigger this flow are:
- TouchID
- FaceID
- FIDO
Authentication API flow
When authN API flow is invoked for the
useAlternativeAuthenticationSource
action for
biometrics, the adapter responds with the
BIOMETRIC_DEVICE_AUTHENTICATION_INFO_REQUIRED
state.
The application must provide its host name through origin
to
continue with biometric device authentication. This invokes biometric authentication flow
transitioning to the ASSERTION_REQUIRED
state requiring data from client to
complete biometric authentication.
{
"id": "NqMl7",
"pluginTypeId": "j_AGR1E__nc2USbRhZPMQQ",
"status": "ASSERTION_REQUIRED",
"devices": [],
"publicKeyCredentialRequestOptions": {
"challenge": [
69,
43,
-101,
-53,
-9,
63,
115,
-91,
-128,
-112,
53,
-68,
-95,
-69,
-10,
-41,
-33,
-24,
-91,
-21,
-70,
2,
-17,
54,
86,
92,
14,
110,
59,
-122,
-45,
-61
],
"timeout": 120000,
"rpId": "localhost.ping-eng.com",
"userVerification": "required",
"allowCredentials": []
},
"manualPairingPermitted": false,
"manualPairing": false,
"userSelectedDefault": false,
"changeDevicePermitted": false,
"_links": {
"cancelAuthentication": {
"href": "https://localhost.ping-eng.com:9031/pf-ws/authn/flows/NqMl7"
},
"self": {
"href": "https://localhost.ping-eng.com:9031/pf-ws/authn/flows/NqMl7"
},
"checkAssertion": {
"href": "https://localhost.ping-eng.com:9031/pf-ws/authn/flows/NqMl7"
}
}
}
Core contract attributes
At the end of successful authentication flow, the following core attributes are filled based on information found in a successful PingOne check assertion API response:
username
- (existing core attribute) - username
usernameless.flow.platform
- (new core attribute) - platform information
usernameless.flow.userid
- (new core attribute) - user ID
For example, for response below, the username
,
usernameless.flow.platform
and usernameless.flow.userid
attribute values are demouser
, MAC
, and
78fe678a-5ec0-49b3-bcd7-742523cb216a
, respectively.
{
"_links" : {
"self" : {
"href" : "https://auth.pingone.com/23c17a79-4972-4a46-871e-9b1121823917/deviceAuthentications/0326f203-950e-418c-9cdb-829c5a4a2586"
}
},
"_embedded" : {
"devices" : [ {
"id" : "00528f83-ae17-459a-838e-3f1226705a3a",
"type" : "PLATFORM",
"status" : "ACTIVE",
"rp" : {
"id" : "localhost.ping-eng.com",
"name" : "PingFederate"
},
"fidoRegistrationArtifacts" : {
"attestationType" : "SELF"
},
"platform" : "MAC",
"_embedded" : {
"webAuthnCredentials" : {
"credentialId" : "3mP-Uv1u_9i9cM025m9SKIqfMIz-TcDgRBJR_BP8xA2BxeN6Hmgzs-s8DKYZIXbDgioqrfoLCftUp0kzeFrvHT6hAGHoe2OFoLsrx_vuLsmmREyHqoZGWVsUxFEjNqo1eEhSpsTx5YnO54GQ4H6hMRAuutyWNnlj",
"userHandle" : "plAY2tGM7kS7coi2+0DPU6xk1A63DDr2TUuYBGVfCRE=",
"credentialPublicKey" : "pQECAyYgASFYIBI_xOdmnL_OEcewdD2abF30WCmt8KJlix_8WNPIuysPIlggNxYEbOiR8NlgIEkKvrbSaJKsokXmKxS_Nl3JwT_ctfE=",
"signCount" : 0
},
"user" : {
"id" : "78fe678a-5ec0-49b3-bcd7-742523cb216a",
"environment" : {
"id" : "23c17a79-4972-4a46-871e-9b1121823917"
},
"username" : "demouser",
"email" : "demouser@pingidentity.com",
"population" : {
"id" : "50756a1a-1b5d-49e2-b316-b3511fdc7a9f"
},
"name" : {
"given" : "demouser"
}
}
}
} ]
},
"id" : "0326f203-950e-418c-9cdb-829c5a4a2586",
"environment" : {
"id" : "23c17a79-4972-4a46-871e-9b1121823917"
},
"status" : "COMPLETED",
"policy" : {
"id" : "bc8d02b5-ba91-0fe1-195c-4cc8ea5a77a3"
},
"selectedDevice" : {
"id" : "00528f83-ae17-459a-838e-3f1226705a3a"
},
"user" : {
"id" : "78fe678a-5ec0-49b3-bcd7-742523cb216a"
},
"rp" : {
"id" : "localhost.ping-eng.com"
},
"publicKeyCredentialRequestOptions" : "{\"challenge\":[119,-85,-127,71,6,46,47,8,-58,-9,95,-94,77,-82,103,-98,87,11,-90,1,-69,-59,-33,78,-39,63,-55,-10,-101,77,-84,-126],\"timeout\":120000,\"rpId\":\"localhost.ping-eng.com\",\"allowCredentials\":[],\"userVerification\":\"required\"}",
"authenticators" : [ "mfa", "user" ],
"createdAt" : "2022-09-10T00:12:57.489Z",
"updatedAt" : "2022-09-10T00:13:02.418Z"
}