Configure a Passwordless Sign-On Policy
Number of APIs: 5
PingOne supports a sign-on flow that uses only a username and a multi-factor authentication (MFA) sign-on action to authenticate the user. This activity shows you how to create a sign-on policy that does not require a password at sign on.
Note: To create a new sign-on policy and its associated sign-on policy action, you must have the Environment Admin role.
This scenario illustrates the following common operations supported by the PingOne APIs:
- Create an application connection
- Create a sign-on policy
- Create a sign-on policy action
- Assign the sign-on policy to an application
Prerequisites
Get an access token from the worker application that you created in Getting Started with the PingOne APIs. To get a token from a different worker application in an alternate sandbox environment, run the token request endpoint using the client ID and client secret of your chosen worker app to authenticate the request. For more information, see GET a Worker Application Access Token.
Workflow order of operations
To create a sign-on policy that does not prompt for a password at login, the following tasks must be completed successfully:
- Make a - POSTrequest to- /environments/{{envID}}/applicationsto create a new application connection.
- Make a - POSTrequest to- /environments/{{envID}}/signOnPoliciesto create a new sign-on policy.
- Make a - POSTrequest to- /environments/{{envID}}/signOnPolicies/{{policyID}}/actionsto create a new MFA sign-on policy action, which is associated with the new (no password) sign-on policy.
- Make a - POSTrequest to- /environments/{{envID}}/applications/{{appID}}/signOnPolicyAssignmentsto associate this sign-on policy with the specified application.
- Make a - GETrequest to the authorization server to retrieve the URL for the sign-on screen, which is returned in the response's HTTP- Locationheader.
- 
Step 5: Test authentication GET {{authPath}}/{{envID}}/as/authorize?response_type=code&client_id={{passwordlessAppID}}&redirect_uri=https://www.example.com&scope=openid profile 
- 
Step 4: Assign the sign-on policy to an application POST {{apiPath}}/environments/{{envID}}/applications/{{passwordlessAppID}}/signOnPolicyAssignments 
- 
Step 3: Create the sign-on policy action POST {{apiPath}}/environments/{{envID}}/signOnPolicies/{{passwordlessPolicyID}}/actions 
- 
Step 1: Create an application POST {{apiPath}}/environments/{{envID}}/applications 
- 
Step 2: Create the new sign-on policy POST {{apiPath}}/environments/{{envID}}/signOnPolicies