Configuring a PingFederate policy for passwordless authentication with FIDO biometrics

Page created: 3 Jun 2020 |

Page updated: 21 Nov 2022

| 5 min read

PingId Product

Configure a PingFederate policy for passwordless authentication with FIDO biometrics.

Before configuring PingID for passwordless authentication, make sure you:

Install the PingID Integration Kit 2.7 or later.
Download the PingID properties file.
Configure an HTML form adapter instance.
Configure a PingID Adapter instance.
(Optional) If you wish to configure the application name or application icon, do so in PingFederate . See Identify the target application.

Review the FIDO2 biometrics authentication requirements and limitations.

To use PingID as a passwordless authentication solution for federated single sign-on (SSO) with PingFederate , in PingFederate you'll need to:

Create an authentication policy contract.
Create a local identity profile and associate it with the HTML Form Adapter instance.
Create an authentication policy.

In PingFederate , create an authentication policy contract: (see also Policy Contracts).
1. In the Identity Provider tab, under AUTHENTICATION POLICIES area, click Policy Contracts.
2. Click Create New Contract.
3. In the Contract Name field, enter a name for the policy contract and click Next.
4. In the Contract Attributes tab, for each attribute you want to add, in the Extend the Contract area, type the name of the attribute and then click Add. For a list of PingID attributes, see PingID authentication attributes.
5. Click Next, and then click Done.
Create a local identity profile for passwordless authentication:
1. In the Identity Provider tab, click Identity Profiles and then click Create New Profile.
2. In the Profile Info tab, enter the following information, and then click Next:
  - Local Identity Profile Name : Enter a meaningful name for the profile.
  - Authentication Policy Contract: Select your policy contract.
3. In the Authentication Sources tab, in the Authentication Source field, enter FIDO as the name of your authentication source, click Add, and then click Next.
4. Click Done, and then click Save. The local identity profile is saved.
In the Identity Provider tab, associate the HTML Form Adapter instance with the local identity profile:
1. Click Adapters.
2. Click the HTML Form Adapter and then click the IdP Adapter tab.
3. Scroll down, and in the Local Identity Profile field, select the local identity profile that you created. Then click Done, and Save.
Create a PingFederate authentication policy for passwordless authentication. (See also Policies.)
1. In the Identity Provider tab, under Authentication Policies, click Policies.
2. In the Policies tab, ensure the IdP Authentication Policies checkbox is selected, and then click Add Policy.
3. In the Name field, enter a meaningful name for the authentication policy.
4. In the Policy dropdown, select IdP Adapters, and then select the HTML Form Adapter. A branch for the HTML Form Adapter is added to the PingFederate policy tree, and FAIL/SUCCESS fields are added.
5. Directly under the HTML Form Adapter field, click Rules. In the Rules popup window, enter the following information, and then click Done:
  - Attribute Name: Select policy.action.
  - Condition: Select equal to.
  - Value: Enter FIDO as your authentication source.
  - Result: Enter FIDO as your authentication source.
  - Default to success: Ensure the checkbox is selected.
6. In the HTML Form Adapter branch FAIL field, click Done.
7. In the HTML Form Adapter branch SUCCESS field dropdown list, select the action that you want to apply and configure it appropriately. For example:
  - If configuring the PingID Adapter (recommended), do the following:
    1. In the SUCCESS branch dropdown list, select IdP Adapters, and then select PingID Adapter. SUCCESS/FAIL fields are added to the branch.
    2. Under the PingID Adapter FAIL field, click Done.
    3. In the PingID Adapter SUCCESS field, select the local identity profile you created earlier.
    4. Under the local identity profile, click Local Identity Mapping and complete the relevant mapping. (See also Configuring contract mapping.)
      Note:
      For a list of attributes that can be used upon successful authentication with PingID, see PingID authentication attributes.
    5. Under the PingID Adapter entry, click Options and specify the following fields:
      
      Source: HTML Form Adapter
      
      Attribute: Username
  - If configuring a local identity profile:
    1. In the SUCCESS branch dropdown list, select the Local Identity Profiles, and then select the local identity profile that you created earlier.
    2. Directly under the HTML Form Adapter branch SUCCESS field, click Local Identity Mapping, complete the relevant mapping from your source to the local identity contract (see Configuring local identity mapping) and click Done.
  The FIDO policy branch is added to the policy tree.
8. In the FIDO branch:
  1. In the dropdown list, select IdP Adapters, and then select the PingID Adapter. SUCCESS/FAIL fields are added.
  2. In the FAIL field, click Done.
  3. In the SUCCESS field dropdown list, select the endpoint you require. For example:
    - Policy Contracts: Select the policy contract you created earlier and complete the relevant mapping. (See Policy Contracts.)
    - Local Identity Profiles: Select the Local Identity profile you created earlier and then complete the relevant mapping. (See Configuring local identity mapping.)
Save the PingFederate policy.
Add any further configurations, for example:
- Browser SSO: Configure IdP Browser SSO
- OAuth: OAuth configuration
To complete the passwordless configuration, see Configuring FIDO2 passwordless authentication.

Configuring a PingFederate policy for passwordless authentication with FIDO biometrics - PingID

PingID Administration Guide