Configuring YubiEnroll with PingID PingOne

The following describes how to set up YubiEnroll in the PingID PingOne tenant and configure the required user permissions.

Configuration Steps

The configuration steps involve the following:

  1. Registering the YubiEnroll App
  2. Configuring Permissions
  3. Preparing to Add the PingOne Provider
  4. Optional, Enabling MFA and FIDO2 Policies
  5. Optional, Using Custom Domains

When you have successfully completed these steps, you are ready to enroll YubiKeys on behalf of end users in your organization.

Registering the YubiEnroll App

Register the YubiEnroll app as an OAuth2 app. Complete the steps:

  1. Create a new application.

    1. Log in to the PingOne Console.
    2. From the left panel, select Applications.
    3. Click the plus (+) to add a new application.
    4. Enter an Application Name. The example shows YubiEnroll-Demo-Worker-App.
    5. Select Application Type, Worker.
    6. Click Save.
    _images/pingone-add-app-1.png

  2. Set the Configuration.

    1. Select the Configuration tab.

    2. In OIDC Settings, select:

      • Response Type, check Code.

      • Grant Type:

        • Check Authorization Code
        • Select PKCE Enforcement under Authorization Code, S256_REQUIRED.
        • Check Refresh Token.
      _images/pingone-edit-config-1.png

    3. Enter a Redirect URI. For example, http://localhost:9443/yubienroll-callback.

      You must specify a port if you are not using URI patterns.

    4. Select Token Endpoint Authentication Method, None.

    5. Click Save.

    _images/pingone-edit-config-2.png

  3. Activate the app. Click the activation toggle On.

    _images/pingone-activation-toggle.png

For PingOne source content, see PingOne Adding an Application.

Configuring Permissions

To enroll YubiKeys on behalf of an end user, the YubiEnroll app user, for example an IT admin, must have PingOne roles: Identity Data Admin and Environment Admin.

Preparing to Add the PingOne Provider

When adding a provider configuration in YubiEnroll you need the following values from PingOne. These were created in step Registering the YubiEnroll App.

  1. From the PingOne Console, select the YubiEnroll app you created. The example name is YubiEnroll-Worker-App.

  2. Locate required values:

    Item Location
    Client ID General section
    Environment ID General section
    Redirect URI OIDC Settings section
    custom_domain optional value
    policy_id optional value

    Most of the value are listed on the Configuration tab.

    _images/pingone-reqd-values.png

To add PingOne in YubiEnroll, see Adding Provider Configurations.

Enabling MFA and FIDO2 Policies

To enable authentication with FIDO2 devices one must create a FIDO2 policy and include it in the relevant MFA policy. By default YubiEnroll uses the default MFA policy. It is possible to use non-default policy by specifying the policy_id when creating/editing the PingOne provider. More info on FIDO2 policies can be found at Adding a FIDO policy.

Using Custom Domains

PingOne supports the mapping of customer-owned and controlled domain names that are used to access user interfaces and services. By default YubiEnroll assumes no custom domains are used. It is possible to specify a custom domain by specifying the custom_domain when creating/editing the PingOne provider. More info on custom domains can be found at Setting up a custom domain.