.. integration-procedure.rst ======================== Integration Procedure ======================== The following provides an overview of the steps to get started using FIDO Pre-reg with Microsoft Azure components and PingOne PingID/AIC, and create a shipment of a pre-enrolled YubiKey. .. _prerequisites: Prerequisites =============== Ensure you have the following before starting the implementation procedure: * Provided by Yubico: * A `Yubico subscription plan `_. For questions about Yubico subscription services, contact your Yubico sales representative. * Yubico `Customer Portal `_ access with FIDO Pre-reg enabled. This is provided during onboarding of your organization. * Customization ID (CID), Product ID, and Inventory ID for the YubiKey delivery. * An ARM (Azure Resource Manager) template JSON file and a Docker image for deploying components in Azure. * Credentials for the Yubico container registry for the FIDO Connector app. * An Azure Resource Group permissions template. * PingOne Ping AIC Journey configuration templates. * A PingOne PingID or PingOne AIC instance with FIDO2 passkeys/security keys support. * An Azure Portal Subscription with a Resource group supporting the Container app, Azure table, Key Vault, and Logic App resource types. * An Office 365 License or another preferred email service to send PINs to end users. * A defined method for sourcing shipping addresses for the YubiKey recipients. * A defined preference for how recipients will receive YubiKey PINs, for example via email. * The following administrative roles are required for the implementation: * *Authentication Policy Administrator* role in PingOne PingID/AIC. * *Application Administrator* role in PingOne PingID/AIC. * *Application Administrator* role in Microsoft Entra ID. * *Authentication Policy Administrator* role in Microsoft Entra ID. * *Global Administrator* role in Microsoft Entra ID. * *Privileged Role Administrator* role in Azure. Integration Steps =================== .. note:: Currently an instance of the FIDO Connector can only be configured for one IdP at a time, either Microsoft Entra ID or PingOne PingID/AIC. As default, the FIDO Connector is configured to be used with Microsoft Entra ID. To change this to PingOne PingID/AIC, see :ref:`config-container-app`. The following steps lets you set up the FIDO Pre-reg integration and create a first shipment of a pre-enrolled YubiKey: 1. Configure PingOne for policy authentication and on-behalf of registration, either one of the following: * :ref:`Configure PingOne PingID ` * :ref:`Configure PingOne AIC ` 2. :ref:`Configure Microsoft Entra ID ` to enable container authentication. 3. :ref:`Deploy Azure components ` such as Resource group and ARM template. 4. :ref:`Test and verify the deployment ` using for example a Test client. 5. :ref:`Create shipment of a pre-enrolled YubiKey ` from your organization’s IT environment. The sections in the following describe each step in detail.