.. config-pingone.rst


.. _configure-pingone:

============================
Configuring PingOne PingID
============================

The following sections describe the configuration steps required in PingOne PingID. If you are using *PingOne AIC*, see :ref:`configure-pingaic`.

FIDO Policy Authentication
=============================

.. note:: You will need a user with the *Authentication Policy Administrator* role in PingOne PingID to complete the configuration steps.

To configure the PingOne PingID authentication policies, do the following:

1. Sign in to the `PingOne PingID <https://console.pingone.com/>`_ console.
2. Go to **Authentication** > **FIDO Policies**.
3. Click **+** to create a policy, or click the **Edit** icon for the desired policy in the **Enhanced FIDO Policies** section.
4. Configure the policy as follows:

   * **Device Display Name:** For example “Security Key”. Controls how the FIDO authenticator is displayed to the user. Use "Label" for a static, non-translated name, or "Translatable Keys" for a localized display of the device name.
   * **FIDO Device Aggregation:** When set to “On” (recommended), all devices of the same type (for example security keys) appear as one entry using a single display name during user authentication. When set to “Off”, each device is listed separately with its unique name.
   * **Relying Party ID:** Specifies the domain identifier that Ping Identity asserts as the FIDO authenticator's origin during registration and sign in. Select "PingOne" to use a standard PingOne domain such as “pingone.com”.
   * **Discoverable Credentials:** Controls whether the FIDO policy encourages or enforces the use of passkeys (resident credentials) that are stored directly on the authenticator itself. Select “Preferred”.
   * **Authenticator Attachment:** Defines which physical type of FIDO authenticator the policy allows a user to register and use. Select “Cross-platform” to require an external device like a USB security key or a phone.
   * **Manage verification settings:** Controls whether the authenticator must enforce a secondary verification factor like a PIN, or biometric scan, for high assurance.

     * **User Verification:** Selecting “Preferred” is recommended to avoid blocking users. Contact your Yubico Professional Services team to discuss options for this setting in your specific environment.
     * **Enforce PIN Length:** Select “Disabled”.
     * Select "Enforce During Authentication".

   * **User Presence Timeout:** Defines the maximum duration (minutes or seconds) that PingOne PingID will wait for the user to interact with their FIDO authenticator after the challenge is issued. Set to for example “2 Minutes”.
   * **Backup Eligibility:** Defines whether the FIDO policy allows authentication using cloud-synced passkeys. Select "Disallow" (recommended).
   * **User Display Name:** Defines the text the FIDO authenticator displays to the user for account selection during sign-in. Select for example “Email Address”, “Name (Given, Family)”, “Username”.
   * **Attestation Type:** Determines the level of cryptographic proof required from the FIDO authenticator during the registration process to confirm the device's legitimacy and origin. Select “Direct” (recommended).
   * **Attestation Requirements:** Select “Allow FIDO Certified Authenticators”. If specific YubiKey models or AAGUIDs are required, search for “YubiKey”, and select the desired YubiKey models in the list that is displayed. See `YubiKey hardware FIDO2 AAGUIDs <https://support.yubico.com/s/article/YubiKey-hardware-FIDO2-AAGUIDs>`_.

5. Click **Save**.

For more information about PingOne PingID policies, see `FIDO Policies (PingOne PingID documentation) <https://docs.pingidentity.com/pingone/authentication/p1_fido_policies.html>`_.


Enabling On-Behalf of Registration
====================================

.. note:: You will need a user with the Application Administrator role in PingOne PingID to complete the configuration steps.

Creating an Application
-------------------------

To register a FIDO Pre-reg service application in PingOne PingID, do the following:

1. Sign in to the `PingOne PingID <https://console.pingone.com/>`_ console.
2. Go to **Applications** > **Applications**.
3. Click **+** next to **Applications** to add new application.
4. Provide a descriptive **Application name**, for example “Yubico FIDO Pre-reg Service”.
5. Select “Worker” as the **Application Type**.
6. Click **Save**.


Granting Role to Worker App
------------------------------

To add a role after successful registration of the Worker app, do the following:

1. In the PingOne PingID console, click **Grant Roles**, or go to **Roles**. 
2. From the **Available responsibilities**, expand the **Identity Data Admin** role.
3. Select the appropriate **Environment**.
4. Click **Save**.


.. _enable-worker-app:

Enabling the Worker App
-------------------------

To enable the successfully registered Worker app, do the following:

1. In the PingOne PingID console for the worker app, go to the **Overview** tab.
2. Save the **Client ID** value to be used later for the ``FIDO_Connector_Ping_Client_Id`` parameter.
3. Save the **Client Secret** value to be used later for the ``FIDO_Connector_Ping_Client_Secret`` parameter.
4. Save the **Environment ID** value to be used later for the ``PINGONE_ENVIRONMENT`` parameter.
5. Enable the Worker app by toggling the **Enable toggle** to on.

For more information, see `Adding an application <https://docs.pingidentity.com/pingone/applications/p1_applications_add_applications.html>`_ and `Configuring roles for a worker application <https://docs.pingidentity.com/pingone/applications/p1_configurerolesforworkerapplication.html>`_ (PingOne PingID documentation).