Integration Procedure

The following provides an overview of the steps to get started using FIDO Pre-reg with Microsoft Azure components and PingOne PingID/AIC, and create a shipment of a pre-enrolled YubiKey.

Prerequisites

Ensure you have the following before starting the implementation procedure:

• Provided by Yubico:
  • A Yubico subscription plan. For questions about Yubico subscription services, contact your Yubico sales representative.
  • Yubico Customer Portal access with FIDO Pre-reg enabled. This is provided during onboarding of your organization.
  • Customization ID (CID), Product ID, and Inventory ID for the YubiKey delivery.
  • An ARM (Azure Resource Manager) template JSON file and a Docker image for deploying components in Azure.
  • Credentials for the Yubico container registry for the FIDO Connector app.
  • An Azure Resource Group permissions template.
  • PingOne Ping AIC Journey configuration templates.
• A PingOne PingID or PingOne AIC instance with FIDO2 passkeys/security keys support.
• An Azure Portal Subscription with a Resource group supporting the Container app, Azure table, Key Vault, and Logic App resource types.
• An Office 365 License or another preferred email service to send PINs to end users.
• A defined method for sourcing shipping addresses for the YubiKey recipients.
• A defined preference for how recipients will receive YubiKey PINs, for example via email.
• The following administrative roles are required for the implementation:
  • Authentication Policy Administrator role in PingOne PingID/AIC.
  • Application Administrator role in PingOne PingID/AIC.
  • Application Administrator role in Microsoft Entra ID.
  • Authentication Policy Administrator role in Microsoft Entra ID.
  • Global Administrator role in Microsoft Entra ID.
  • Privileged Role Administrator role in Azure.

Integration Steps

Note

Currently an instance of the FIDO Connector can only be configured for one IdP at a time, either Microsoft Entra ID or PingOne PingID/AIC. As default, the FIDO Connector is configured to be used with Microsoft Entra ID. To change this to PingOne PingID/AIC, see Configuring Environment Variables.

The following steps lets you set up the FIDO Pre-reg integration and create a first shipment of a pre-enrolled YubiKey:

1. Configure PingOne for policy authentication and on-behalf of registration, either one of the following:
   • Configure PingOne PingID
   • Configure PingOne AIC
2. Configure Microsoft Entra ID to enable container authentication.
3. Deploy Azure components such as Resource group and ARM template.
4. Test and verify the deployment using for example a Test client.
5. Create shipment of a pre-enrolled YubiKey from your organization’s IT environment.

The sections in the following describe each step in detail.