Configuring One Identity OneLogin for passwordless authentication

This guide provides step-by-step instructions on how to configure One Identity OneLogin to use DIGIPASS FX series authenticators. It considers new users, who have never signed in and who have not registered an FX series FIDO2 token. These users will be able to first set their account password, sign in, and then register a DIGIPASS FX series authenticator. After the first sign-in and the registration of the authenticator, the users will be moved to a secondary group which only allows to sign in with FIDO2 tokens. Subsequent sign-ins will be done with passkeys stored on the DIGIPASS FX authenticator, that the user registered in the first step.

If you are a user and received a mail from your company to register your DIGIPASS FX series authenticator, see Completing the registration for users.

Before you begin

• Ensure that you have DIGIPASS FX series FIDO2 authenticators ready for configuration, for example, DIGIPASS FX7 or DIGIPASS FX1 Bio.

• Ensure that you have a OneLogin account with administrative access.

• Verify that your OneLogin license allows to use Smart Flows and that this feature is enabled. If it is enabled, you'll see different flows available under Security > Policies > policy_name > Flows.

  

• Ensure that you use a Firefox or Chromium browser, for example, Google Chrome or Microsoft Edge.

Configuring passwordless authentication

Configuring One Identity OneLogin for authenticationg with FIDO2 passkeys involves the following steps:

1. Enabling WebAuthn as an authentication factor.

2. Configuring the authentication policies. This requires at least two authentication policies that leverage OneLogin smart flows. The first policy handles new users who have never signed in, so they can initially sign in and register a DIGIPASS FX series authenticator. The second policy applies to users after they have signed in once, so they can only sign in using passkey authentication.

3. Creating the user groups and assigning the authentication policies. Assign the authentication policies to groups containing the users to enforce the policies assigned to that group. Policies can be applied via group membership.

4. Creating user mappings. OneLogin supports mapping rules that can assign users to a given group based on configurable conditions.

   This guide utilizes user mappings. However, OneLogin best practices is to use smart hooks, which can programmatically assign policies to users based on different contextual data points.

   Smart Hooks are beyond the scope of this document. For more information, refer to https://developers.onelogin.com/api-docs/2/smart-hooks/types/pre-authentication.

5. Assigning existing users to the appropriate groups.

Step 1: Enable WebAuthn as authentication factor

The first thing you 'll need to do is enable WebAuthn as an available authentication factor.

1. Sign in to the OneLogin administration portal.

2. Navigate to Security > Authentication Factors and click New Auth.

   

3. Click WebAuthn > Choose.

   

4. Type a user-friendly name for the the authentication factor, for example, FX Authenticators.

   This name will be displayed to the end users and administrators to identify the authenticator factor. Alternatively, upload an image for the authentication factor.

   The new authentication factor is now listed.

   

Step 2: Configure authentication policies

1. Sign in to the OneLogin administration portal.

2. Navigate to Security > Policies.

   

3. Click New User Policy to create a policy for new users.

   

4. Switch to the Login Flow tab, and select the Standard smart flow.

5. Switch to the MFA tab.

6. Select One-time password > OTP Auth Required. Select at least the WebAuthn factor that you created in Step 1, for example, FX Authenticators.

   

7. Select MFA Device Registration > Users without a MFA device must register one before being able to login.

   

8. Select All users from the Enforcement Settings > OTP require for list.

   

9. Type a name for the policy in the upper left corner, for example, New Users, and save your policy.

   

   Your new policy is created.

10. Click New User Policy to create another policy for users who have already signed in once, so they can only sign in using passkey authentication.

    

11. Switch to the Login Flow tab, and select the Passwordless smart flow.

12. Switch to the Password tab, and set Maximum Password Age to 0 days.

    

13. Switch to the MFA tab.

14. Select One-time passwords > OTP Auth Required. Select at least the WebAuthn factor that you created in Step 1, for example, FX Authenticators.

    

15. Select MFA Device Registration > Do not prompt users to register an MFA device during login.

    

16. Select All users from the Enforcement Settings > OTP required for list.

    

17. Type a name for the policy in the upper left corner, for example, Passkey Authentication (OneSpan FX Tokens), and save your policy.

    

18. Your new policy is created and should now be listed in the policy list.

Step 3: Create user groups and assign authentication policies

1. Sign in to the OneLogin administration portal.

2. Navigate to Users > Groups.

   

3. Click New Group.

4. Type a name for the new group, for example, New Users, and set the security policy that you created for new users in Step 2.

   

5. Save the new group.

   

6. Click New Group.

7. Type a name for the new group, for example, Passkey Login Users, and set the security policy that you created for users who signed in once in Step 2, for example, Passkey Authentication (OneSpan FX Tokens).

   

8. Save the new group.

   

   Your two new groups should be listed in the group list.

Step 4: Create user mappings

1. Sign in to the OneLogin administration portal.

2. Navigate to Users > Mappings.

   

3. Click New Mapping.

   

4. Type a name for your mapping.

5. Set the first condition to Group is New Users.

   

6. Click the + button to add a second condition and set it to Days since last login less than 1.

   

7. Set the action to Set group and choose the group the you created for passkey logins, for example, Passkey Login Users.

   

8. Click Save.

   OneLogin will remind you to reapply your mappings.

   

9. Create a second mapping that automatically assigns newly created users to the New Users group.

10. Navigate to User > Mappings and click New Mapping.

11. Type name for the new mapping.

12. Set one condition to User created. Set one action to Set Group = New Users.

    

13. Click Save.

14. Click OK.

15. Click Reapply All Mappings.

    

16. Click Continue to reapply the mappings

Step 5: Assign existing users to the appropriate groups

Depending on your current situation, you may need to assign existing users to groups based on their statuses. You can do this at the individual user basis or by using mappings as previously described.

1. Navigate to Users > Users.

2. Select a user and click the authentication menu.

   

3. Choose the group to which you want to assign the user, then save the user.

   Adding new users and assigning them to groups can be done via the user import function by supplying these values in the CSV template. For existing users, users can be moved to groups in bulk using a user mapping in the User > Mapping menu.