Configuring PingOne PingID

The following sections describe the configuration steps required in PingOne PingID. If you are using PingOne AIC, see Configuring PingOne AIC.

FIDO Policy Authentication

Note

You will need a user with the Authentication Policy Administrator role in PingOne PingID to complete the configuration steps.

To configure the PingOne PingID authentication policies, do the following:

  1. Sign in to the PingOne PingID console.
  2. Go to Authentication > FIDO Policies.
  3. Click + to create a policy, or click the Edit icon for the desired policy in the Enhanced FIDO Policies section.
  4. Configure the policy as follows:
    • Device Display Name: For example “Security Key”. Controls how the FIDO authenticator is displayed to the user. Use “Label” for a static, non-translated name, or “Translatable Keys” for a localized display of the device name.
    • FIDO Device Aggregation: When set to “On” (recommended), all devices of the same type (for example security keys) appear as one entry using a single display name during user authentication. When set to “Off”, each device is listed separately with its unique name.
    • Relying Party ID: Specifies the domain identifier that Ping Identity asserts as the FIDO authenticator’s origin during registration and sign in. Select “PingOne” to use a standard PingOne domain such as “pingone.com”.
    • Discoverable Credentials: Controls whether the FIDO policy encourages or enforces the use of passkeys (resident credentials) that are stored directly on the authenticator itself. Select “Preferred”.
    • Authenticator Attachment: Defines which physical type of FIDO authenticator the policy allows a user to register and use. Select “Cross-platform” to require an external device like a USB security key or a phone.
    • Manage verification settings: Controls whether the authenticator must enforce a secondary verification factor like a PIN, or biometric scan, for high assurance.
      • User Verification: Selecting “Preferred” is recommended to avoid blocking users. Contact your Yubico Professional Services team to discuss options for this setting in your specific environment.
      • Enforce PIN Length: Select “Disabled”.
      • Select “Enforce During Authentication”.
    • User Presence Timeout: Defines the maximum duration (minutes or seconds) that PingOne PingID will wait for the user to interact with their FIDO authenticator after the challenge is issued. Set to for example “2 Minutes”.
    • Backup Eligibility: Defines whether the FIDO policy allows authentication using cloud-synced passkeys. Select “Disallow” (recommended).
    • User Display Name: Defines the text the FIDO authenticator displays to the user for account selection during sign-in. Select for example “Email Address”, “Name (Given, Family)”, “Username”.
    • Attestation Type: Determines the level of cryptographic proof required from the FIDO authenticator during the registration process to confirm the device’s legitimacy and origin. Select “Direct” (recommended).
    • Attestation Requirements: Select “Allow FIDO Certified Authenticators”. If specific YubiKey models or AAGUIDs are required, search for “YubiKey”, and select the desired YubiKey models in the list that is displayed. See YubiKey hardware FIDO2 AAGUIDs.
  5. Click Save.

For more information about PingOne PingID policies, see FIDO Policies (PingOne PingID documentation).

Enabling On-Behalf of Registration

Note

You will need a user with the Application Administrator role in PingOne PingID to complete the configuration steps.

Creating an Application

To register a FIDO Pre-reg service application in PingOne PingID, do the following:

  1. Sign in to the PingOne PingID console.
  2. Go to Applications > Applications.
  3. Click + next to Applications to add new application.
  4. Provide a descriptive Application name, for example “Yubico FIDO Pre-reg Service”.
  5. Select “Worker” as the Application Type.
  6. Click Save.

Granting Role to Worker App

To add a role after successful registration of the Worker app, do the following:

  1. In the PingOne PingID console, click Grant Roles, or go to Roles.
  2. From the Available responsibilities, expand the Identity Data Admin role.
  3. Select the appropriate Environment.
  4. Click Save.

Enabling the Worker App

To enable the successfully registered Worker app, do the following:

  1. In the PingOne PingID console for the worker app, go to the Overview tab.
  2. Save the Client ID value to be used later for the FIDO_Connector_Ping_Client_Id parameter.
  3. Save the Client Secret value to be used later for the FIDO_Connector_Ping_Client_Secret parameter.
  4. Save the Environment ID value to be used later for the PINGONE_ENVIRONMENT parameter.
  5. Enable the Worker app by toggling the Enable toggle to on.

For more information, see Adding an application and Configuring roles for a worker application (PingOne PingID documentation).