PingOne Recognize

Authenticating in Auth0 with PingOne Recognize

Integrating PingOne Recognize authentication with existing IAMs requires preparation on multiple parts of the customer service provider.

  • Binding Auth0 identity to a PingOne Recognize ID: This happens during PingOne Recognize enrollment. The user performs enrollment with a configuration option that accepts an idToken from Auth0. Retrieve this token via the standard Auth0 login flow.

  • Account linking: After idToken is bound to a PingOne Recognize identity, Auth0 authentication with PingOne Recognize can succeed. However, authentication can return a different user_id unless the Auth0 user_id and PingOne Recognize user_id are linked. Learn more in Auth0 account linking.

Configure Enterprise OIDC Connection in Auth0

Create a secure connection between PingOne Recognize and Auth0 so PingOne Recognize can be used as an Identity Provider in Auth0.

Before following this guide, contact the PingOne Recognize Delivery Team to obtain:

Step 1: Create a Connection in Auth0

  1. Sign in to Auth0 and open the Dashboard.

  2. Navigate to Authentication > Enterprise > OpenID Connect.

  3. Select Create Connection and set:

    • Name: For example, PingOne Recognize-SDK-Connection.

    • Issuer URL: The discovery URL from the Delivery Team.

  4. Test the connection with Try Connection in the Auth0 Dashboard.

Step 2: Enable the Connection for Applications

  1. In Auth0, go to Applications > Applications.

  2. Select your app, open the Connections tab, and enable the PingOne Recognize connection.

After setup, pass the Auth0 connection name in the Auth0 /authorize endpoint used by your SDK flow.

This step varies by implementation. Contact PingOne Recognize Solution Engineering to choose the best approach for your setup.

Mobile Integration

Before enrollment and authentication, follow the Getting Started with the PingOne Recognize Mobile SDK.

Enrollment

To enroll a user:

  1. Retrieve the id_token from Auth0.

  2. Perform PingOne Recognize enrollment and provide id_token using the withIAMToken builder/API.

Android

val idToken = "..." // retrieve id_token from Auth0

val configuration = EnrollmentConfiguration.builder
    .withIAMToken(token = idToken)
    .build()

Keyless.enroll(
    enrollmentConfiguration = configuration,
    onCompletion = { result ->
        when (result) {
            is Keyless.KeylessResult.Success -> Log.d("KeylessSDK", "Enroll success - userId ${result.value.keylessId}")
            is Keyless.KeylessResult.Failure -> Log.d("KeylessSDK", "Enroll failure - error code ${result.error.code}")
        }
    }
)

iOS

let idToken = "..." // retrieve id_token from Auth0

let configuration = Keyless.EnrollmentConfiguration.builder
    .withIAMToken(token: idToken)
    .build()

Keyless.enroll(enrollmentConfiguration: configuration) { result in
    switch result {
    case .success(let success):
        print("Enroll success - userID \(success.keylessId)")
    case .failure(let failure):
        print("Enroll failed - error \(failure.message)")
    }
}

Flutter

import 'package:keyless_flutter_sdk/keyless.dart';
import 'package:keyless_flutter_sdk/models/configurations/enrollment_configuration.dart';

final idToken = "..."; // retrieve id_token from Auth0

final configuration = BiomEnrollConfig(iamToken: idToken);

try {
  final result = await Keyless.instance.enroll(configuration);
  print("Enrollment successful. {p1recognize} ID: ${result.keylessId}");
} catch (error) {
  print("Enrollment failed: $error");
}

After enrollment succeeds, continue with authentication.

Authentication

Before authentication:

  • Generate a cryptographically secure UUID (operationId).

  • Retrieve keylessId using getUserId().

Then:

  1. Build login_hint = <operation_id>;<keyless_id>.

  2. Authenticate with PingOne Recognize including operationId.

Android

val operationId = UUID.randomUUID().toString()
val configuration = AuthenticationConfiguration.builder
    .withOperationInfo(operationId = operationId)
    .build()

Keyless.authenticate(
    authenticationConfiguration = configuration,
    onCompletion = { result ->
        when (result) {
            is Keyless.KeylessResult.Success -> {
                val keylessId = /* Keyless.getUserId() */ "..."
                val loginHint = "$operationId;$keylessId"
                // Start Auth0 flow with {p1recognize} connection and pass login_hint
            }
            is Keyless.KeylessResult.Failure -> {
                Log.d("KeylessSDK", "Authentication failure - error code ${result.error.code}")
            }
        }
    }
)

iOS

let operationID = UUID().uuidString
let configuration = Keyless.AuthenticationConfiguration.builder
    .withOperationInfo(id: operationID)
    .build()

Keyless.authenticate(authenticationConfiguration: configuration) { result in
    switch result {
    case .success:
        let loginHint = "\(operationID);\(try! Keyless.getUserId().get())"
        // Start Auth0 flow with {p1recognize} connection and pass login_hint
    case .failure:
        print("Failed authentication, cannot start Auth0 login flow.")
    }
}

Flutter

import 'package:keyless_flutter_sdk/keyless.dart';
import 'package:keyless_flutter_sdk/models/configurations/authentication_configuration.dart';
import 'package:uuid/uuid.dart';

final operationId = const Uuid().v4();
final configuration = BiomAuthConfig(operationId: operationId);

try {
  final result = await Keyless.instance.authenticate(configuration);
  final keylessId = await Keyless.instance.getUserId();
  final loginHint = "$operationId;$keylessId";

  // Start Auth0 flow with {p1recognize} connection and pass login_hint
  print("Authentication successful. Login hint: $loginHint");
} catch (error) {
  print("Authentication failed: $error");
}

After successful authentication, launch a custom tab to sign in with Auth0 and pass login_hint query parameter.

OpenID URL Configuration

After PingOne Recognize support grants dashboard access, configure OpenID URL in PingOne Recognize Dashboard:

  1. Open Access Control.

  2. Select IDP Configuration tab, then OpenID Configuration.

  3. Set OpenID Configuration URL to a valid URL, for example:

  4. Select Save Configuration.