Prepare the server
The following example journey covers the "usernameless" authentication case. This is a simple prototype flow that does not cover all edge cases that might be present in a production environment. If WebAuthn authentication is not possible for any reason, the flow falls back to a normal login journey.
To access this configuration, you need to log in to PingOne Advanced Identity Cloud or PingAM as an administrator, and create a new journey.
-
In the editor drag the following nodes into the journey:
-
WebAuthn Registration node
-
WebAuthn Authentication node
-
Inner Tree Evaluator node
-
Two Choice Collector nodes
-
-
Connect the nodes similar to the following example:
-
Configure the nodes:
-
In both the WebAuthn Registration and WebAuthn Authentication nodes, the
Return challenge as JavaScript
option must be disabled. -
In the WebAuthn Registration node,
Authentication attachment
must be eitherUNSPECIFIED
orPLATFORM
. -
In the WebAuthn Registration node, enable the
Username to device
option. -
In the WebAuthn Authentication node, enable the
Username from device
option. -
Use Choice Collector nodes to handle the user input in case of registration failure, and to give users the option to enable biometrics for this journey.
-
Set the
Relying party identifier
to the domain of your PingAM instance.For example:
openam.example.com
.
-
If you want your users to provide a username, deactivate the Username from/to device
options,
and add a Username Collector node before the WebAuthn Registration node and WebAuthn Authentication node.
The WebAuthn Registration and WebAuthn Authentication nodes might result in a In order to parse the error and act upon it, make use of a Scripted Decision node
to access the shared state within the journey, and read the For more information regarding the use of the Scripted Decision node, see Scripted Decision Node API Functionality in the PingAM documentation. |