PingFederate Passwordless Plugin

Overview

The HYPR Extension for PingFederate utilizes PingFederate as an Identity Provider (IdP). HYPR Integration Kit for PingFederate provides IdP Adapter as well Password Credential Validator (PCV). which enable users to authenticate using FIDO. Within the Intelligent Extension, the HYPR IdP Adapter serves as a platform to authenticate users either using FIDO keys stored on the mobile app or FIDO2 tokens, Password Credential Validator is used to authenticate users through FIDO using a mobile app whenever user interaction is not an option. After registering a device through Device Manager, a user can log into the specified Service Provider (SP) or get OAuth2.0 tokens by authenticating with Mobile App or FIDO2 tokens.

System Requirements

This HYPR Intelligent Extension for PingFederate is designed and supported for the Control Center, and compliant with the PingFederate SSO IdP Server. The HYPR Integration Kit is compliant with PingFederate v7.x and above releases. Refer to PingFederate documentation for the specific system requirements for the specific version of PingFederate being integrated as the target hosting platform for the HYPR Intelligent Extension.

📘
The HYPR Intelligent Extension for PingFederate uses information from the PingFederate Administration Console. Configuration information will vary slightly among versions of PingFederate; however, the HYPR IdP Adapter & PCV configuration will be the same.

Contact HYPR support to acquire the Ping Federate HYPR Integration Kit

Zip Manifest

The distribution ZIP file for the HYPR Intelligent Extension contains the following items: • /legal – Contains legal documents

Legal.pdf – Copyright and license information
License_Agreement.pdf – Click-through agreement
• /docs – Contains the documentation needed to setup and use the HYPR IdP Adapter
HYPR-Integration-Kit-ReleaseNotes.pdf – Release notes
HYPR-Integration-Kit-UserGuide.pdf – This document
• /dist – Contains the libraries needed to implement the HYPR IdP Adapter
pf.adapters.hypradapter.jar – HYPR IdP Adapter plug-in for PingFederate
• /dist/conf/language-packs – Contains the language support packs for user interfaces
HYPR-messages.properties – English translation for out-of-the-box user templates
HYPR-messages_es.properties – Spanish translation for out-of-the-box user templates • /dist/conf/template – Contains the velocity templates needed for user interfaces
hypr.form.login.template.html – Login template
-hypr.field.presence.required.template.html - User Presence Required Verification
hypr.form.customTransaction.template.html - Sample template that demonstrates using a custom transaction text feature.

• /dist/conf/template/assets/css – Contains the HYPR style sheet for velocity templates

hypr.css – HYPR style sheet for velocity templates

Authentication Overview

User attempts to access a protected web resource.
User is redirected to PingFederate to authenticate.
User enters Username to the PingFederate login page.
HYPR IdP Adapter initiates authentication with the HYPR server.
User uses biometric authentication to verify identity.
HYPR mobile application sends authentication success response to server.
HYPR server sends authentication success to PingFederate.
PingFederate creates user login session.
User is redirected to the protected web resource.

Installation and Setup

Integrating the HYPR IdP Adapter into a PingFederate server involves the following steps:
• Installing the HYPR IdP Adapter libraries, language packs, and templates onto a PingFederate server
• Configuring the HYPR IdP Adapter based on a specific use case

Installing the HYPR IdP Adapter

Perform the following steps to install the HYPR IdP Adapter:

Log in as an administrator to the PingFederate server.
Stop the PingFederate server if it is running.
Remove previous version of the HYPR Adapter from deploy directory
rm <PF-install>/server/default/deploy/pf.adapters.hypradapter*.jar
From the integration kit dist directory, copy the jar files and paste them into the specified PingFederate directory.
<PF-install>/server/default/deploy/pf.adapters.hypradapter-1.5.0.jar
From the integration kit dist directory, copy the configuration files for language packs and templates, and paste them into the specified PingFederate directory. These files do not replace existing PingFederate configuration files; rather, they are used in addition to existing configuration files.
<PF-install>/server/default/conf/language-packs/HYPR-messages.properties
<PF-install>/server/default/conf/template/hypr.form.login.template.html
<PF-install>/server/default/conf/template/hypr.form.register.template.html
<PF-install>/server/default/conf/template/assets/css/hypr.css
Start the PingFederate server.

Configuring the HYPR IdP Adapter

Perform the following steps to configure PingFederate with the HYPR IdP Adapter:

Open a web browser and log in to the PingFederate Administration Console.
Within the console, select Adapters under IdP Configuration on the Main Menu.
(For more information about IdP Adapters, see the PingFederate Administrator’s Manual.)
On the Manage IdP Adapter Instances screen, click [Create New Instance].
On the Type screen, enter the following values:
Instance Name: Choose any name for identifying the adapter instance
Instance ID: Internal PingFederate ID that cannot contain spaces or non-alphanumeric characters Type: HYPR Adapter 1.0
At the bottom of the Type screen, click [Next].
On the IdP Adapter screen, click Add a new row to ‘Common Names for SP Entity IDs’. Select an SP entity ID. Provide an Application Name. Click Update.

📘
(For information about how to set up a Data Store, see the PingFederate Administrator’s Manual.)
http://documentation.pingidentity.com/display/PF/Administrator's+Manual

📘
(For information about how to setup an SP connection, see the PingFederate Administrator’s Manual.)
http://documentation.pingidentity.com/display/PF/Administrator's+Manual

On the IdP Adapter screen, provide entries for each of the fields shown in the Table below.

Field Name	Description
PingFederate Base URL	PingFederate Base URL no trailing "/"
HYPR Base URL	The base URL for the HYPR API. no trailing "/"
Application ID	The ID used to identify this application to the HYPR API.
Username Cookie Duration	The number of days the username cookie will remain active. A negative value indicates that the cookie will persist until the browser is shutdown.
User ID Field Name	The field name for the user ID that is returned from the preceding IdP adapter in a Composite Adapter or IdP policy that is used for user authentication. Examples include ‘username’ from an HTML Form Adapter or ‘subject’ from an OpenToken Adapter.
Auto Fail if Devices not Regisered	If no devices are registered, exit adapter with an error
Auto Submit If FIDO2 Devices not Registered	Auto Submit If FIDO2 Devices not Registered
Allow Username Edits	Allow Username Edits
HYPR Login Template	The HTML template (in `<PF-install>/server/default/conf/template` ) to render for a login.
Adapter Integration Error Template	The HTML template (in `<PF-install>/server/default/conf/template` ) to render when an integration error occurs within the adapter. The default value of `general.error.page.template.html` is the PingFederate error template.
Presence Required Flag	Set this value if you require Post Mobile App confirmation processing to protect against Mobile Push attacks
Presence Required Field Template	Template name for Presenting user with confirmation options
Number of Strings	Number of options for user confirmation
Presence Confirmation Instruction	Transaction Text Instruction that user will receive on the mobile app
Default Transaction Text	Text to send to the user instead of a generic application Name
Override Action Id	Policy Name configured in HYPR for user authentication
Fake User Authentication	For users that are either not registered or not in the LDAP, fake that user is authenticating to prevent credential harversting
Support FIDO2	Check if you want to allow FIDO2
Allow External Authenticators	Check if you want to allow both platform and external authenticators
Display Cancel Option	Display Cancel Option: This will result in Adapter Exiting with an Error
LDAP Lookup Table	If want LDAP lookup as part of the Adapter, fill out Advanced Fields
LDAP Data Source	The LDAP data source used for retrieving HYPR unique user identifier
Base DN	Base DN
FIlter	Filter for searching for the right Entry in LDAP
Search Scope	Search Scope
HYPR Identifier Attribute Name	The name of the attribute that user is registered to HYPR with, any unique identifier, can be opaque
UserAccountControl Attribute Name	User Account Control attribute provides information on user status, and can be used in issuance criteria to deny access even is user authenticated.

At the bottom of the IdP Adapter screen, click [Next].
On the Extended Contract screen, add any desired contract extensions, then click [Next].
On the Adapter Attributes screen, select username as the Pseudonym, then click [Next].
On the Adapter Contract Mapping screen, configure any desired adapter contracts, then click [Next].
On the Summary screen, verify that the information is correct, then click [Done].
On the Manage IdP Adapter Instances screen, click [Save] to complete the adapter configuration.

Increasing Log Level

Modify
/pingfederate/server/default/conf/log42.xml
file by adding

to the Loggers Section

Release Notes

1.5.2.

TracerId added
Support for PingFederate 10.x added
PingFederate Base URL is now required to be entered in the Admin Console
Additional Debug Logs added
Cosmetic changes to HTML Form

6.6.0

Changed API endpoints to point to endpoints protected by access token
Added HYPR Password Credential Validator
Added optional autosubmit when adapter chaining
Added optional auto fail when chaining adapters
Added enable/disable username edits (useful when chaining adapters)
Added optional Cancel button to allow user to exit adapter with an error to skip to the next adapter in the policy.