Use Cases

Enabling passwordless authentication in a PingFederate authentication policy

About this task

To enable passwordless authentication in a PingFederate authentication policy:

Steps

  1. Optional: Create a policy contract:

    1. Go to Authentication → Policies → Policy Contracts.

    2. Click Create New Contract.

    3. Give the policy contract an appropriate name for the storage of attribute data. Click Next.

    4. Specify any additional attributes if required outside of the subject attribute to be reused later within OAuth-OpenID Connect (OIDC) or SAML-WS-Federation processing. Click Next.

    5. On the Summary page, click Save.

  2. Create a local identity profile (LIP):

    1. Go to Authentication → Policies → Local Identity Profiles.

    2. Click Create New Profile.

    3. On the Profile Info tab, in the Local Identity Profile Name field, enter an appropriate name for the passwordless authentication processing.

    4. In the Authentication Policy Contract list, select an appropriate policy contract. If you created a new one, specify the policy contract from step 1. Click Next.

    5. For Authentication Sources, select Security Key and click Add. Click Next.

    6. On the Summary page, click Save.

  3. Add the LIP to an available HTML Form IdP Adapter:

    1. Go to Authentication → Integration → IdP Adapters and select an available HTML Form IdP Adapter to use within PingFederate’s authentication policy that will contain a Passwordless Security Key option.

    2. Click IdP Adapter.

    3. Scroll down to the Local Identity Profile section, and in the list, select the LIP that you created in step 2.

    4. Click Save.

  4. Create an authentication policy:

    1. Go to Authentication → Policies → Policies.

    2. Click Add Policy.

    3. Give the authentication policy an appropriate name for the passwordless authentication process that will be performed.

    4. In the Policy list, select the HTML Form IDP Adapter that you added the LIP to in step 3.

    5. Under the HTML Form IDP Adapter that you selected, click Rules and specify the appropriate values.

      Case sensitivity is important.

    6. Click Done.

    7. For the Fail branch off of the HTML Form IDP Adapter, click Done.

    8. For the Security Keybranch, select the PingID Adapter.

    9. In the Fail branch off of the PingID Adapter, click Done.

    10. For the Success branch of the PingID Adapter, select the policy contract that you specified in step 2d.

    11. Perform the Contract Mapping to fulfill the Policy Contract Attributes. Click Done to return to the Policy tree when complete.

    12. In the last Success branch (the branch where Security Key is not selected), select the PingID Adapter.

    13. Under PingID Adapter, click Options.

    14. Select the appropriate attribute to provide to PingID to verify the registration status of the user performing the transaction. Click Done.

    15. For the Fail branch, click Done.

    16. For the Success branch of the non-passwordless PingID flow, select the Policy Contract that you specified in step 2d.

    17. Perform the Contract Mapping to fulfill the Policy Contract Attributes. Click Done to return to the Policy tree when complete.

    18. Click Done to return to the main Policy list selection.

    19. Move the authentication policy to the desired location in the list.

    20. Click Save.