Keyri QR login can be incorporated into a new or existing Ping Identity tenant through the DaVinci no-code orchestration platform using the Keyri DaVinci connector. The process is similar to that detailed in the server-side authentication documentation, though with the custom backend, where user public keys are stored and authentication signatures validated, replaced by PingOne and the Keyri DaVinci connector.
First, install the Keyri connector in your Davinci environment by searching for it in the "Connections" tab.
Next, insert the connector into your flow as follows:
Note that the Keyri connector follows a PingOne connector in which the user's public key is extracted from the PingOne user database based on a user identifier passed to the Keyri frontend widget from your mobile app. The Keyri connector accepts the following three parameters and outputs a boolean indicating the cryptographic validity of the login request:
- User Public Key: given by the preceding PingOne connector
- Authentication Challenge: a nonce used to prevent replay attacks, generated by your app when the QR code is scanned
- User Signature: a signature of the Authentication Challenge generated by the Keyri SDK
Finally, use the boolean output of the Keyri connector to either issue a session token or otherwise further process the user's login request.
Integration of the Keyri QR widget in your Ping-backed web application is the standard process described in the server-side authentication documentation, with the three parameters instead passed to your PingOne endpoint to be processed by the DaVinci flow you set up as described above.
Keyri - Please see our documentation for our Mobile SDKs
Full Ping API Docs can be found here: https://developer.pingidentity.com/en.html
First, create a user in Ping's system. This is a standard process per Ping's API conventions. Next, use the Keyri SDK to generate a local association keypair for the device - the private key is stored in the mobile devices TPM, and the public key is stored in Ping's server under the "Nickname" field for the user. This is accomplished in step 2 in the sample code - we call the generate association key function for the user, then PATCH the user object in Ping's server with the nickname.
For this step, we are primarily using Keyri functions to send a secure payload to the browser.
We have examples for how to use Keyri to send a secure payload in our Mobile SDK sections. In the below code block, we cover exactly how to configure the payload in the case of Ping Identity. We create an object with the username, a timestamp, coupled with a randomly generated nonce, and a signature of the timestamp_nonce. the final object looks like this:
Below is an example of how to generate the signature. Notice that you can take advantage of Keyri's built-in cryptography functions to generate the signature (though if you want you can always extract the key and do the signature manually). Simply pass this string as the payload (again, see the mobile SDK sections for more detail) and you're all set!