Configure a Passwordless Sign-On Policy

Number of APIs: 5

PingOne supports a sign-on flow that uses only a username and a multi-factor authentication (MFA) sign-on action to authenticate the user. This activity shows you how to create a sign-on policy that does not require a password at sign on.

Note: To create a new sign-on policy and its associated sign-on policy action, you must have the Environment Admin role.

This scenario illustrates the following common operations supported by the PingOne APIs:

  • Create an application connection
  • Create a sign-on policy
  • Create a sign-on policy action
  • Assign the sign-on policy to an application

Prerequisites

Get an access token from the worker application that you created in Getting Started with the PingOne APIs. To get a token from a different worker application in an alternate sandbox environment, run the token request endpoint using the client ID and client secret of your chosen worker app to authenticate the request. For more information, see GET a Worker Application Access Token.

Workflow order of operations

To create a sign-on policy that does not prompt for a password at login, the following tasks must be completed successfully:

  1. Make a POST request to /environments/{{envID}}/applications to create a new application connection.

  2. Make a POST request to /environments/{{envID}}/signOnPolicies to create a new sign-on policy.

  3. Make a POST request to /environments/{{envID}}/signOnPolicies/{{policyID}}/actions to create a new MFA sign-on policy action, which is associated with the new (no password) sign-on policy.

  4. Make a POST request to /environments/{{envID}}/applications/{{appID}}/signOnPolicyAssignments to associate this sign-on policy with the specified application.

  5. Make a GET request to the authorization server to retrieve the URL for the sign-on screen, which is returned in the response's HTTP Location header.

  1. Step 5: Test authentication GET {{authPath}}/{{envID}}/as/authorize?response_type=code&client_id={{passwordlessAppID}}&redirect_uri=https://www.example.com&scope=openid profile

  2. Step 4: Assign the sign-on policy to an application POST {{apiPath}}/environments/{{envID}}/applications/{{passwordlessAppID}}/signOnPolicyAssignments

  3. Step 3: Create the sign-on policy action POST {{apiPath}}/environments/{{envID}}/signOnPolicies/{{passwordlessPolicyID}}/actions

  4. Step 1: Create an application POST {{apiPath}}/environments/{{envID}}/applications

  5. Step 2: Create the new sign-on policy POST {{apiPath}}/environments/{{envID}}/signOnPolicies