--- title: Preparing Advanced Identity Cloud or PingAM for FIDO in iOS description: PingOne Advanced Identity Cloud PingAM iOS component: orchsdks page_id: orchsdks:journey:use-cases/fido/ios/before-you-begin canonical_url: https://developer.pingidentity.com/orchsdks/journey/use-cases/fido/ios/before-you-begin.html revdate: Fri, 13 May 2022 09:39:02 +0200 section_ids: ios-site-association: Step 1. Associating your iOS app with your Advanced Identity Cloud or PingAM server preparing_a_site_association_file: Preparing a site association file hosting_apple_app_site_association_files_in_advanced_identity_cloud_or_pingam: Hosting apple-app-site-association files in Advanced Identity Cloud or PingAM ios-fido-journeys: Step 2. Configuring authentication journeys for FIDO on iOS configure_authentication_journeys_for_fido2_on_ios: Configure authentication journeys for FIDO2 on iOS next_steps: Next steps --- # Preparing Advanced Identity Cloud or PingAM for FIDO in iOS [icon: circle-check, set=far]PingOne Advanced Identity Cloud [icon: circle-check, set=far]PingAM [icon: apple, set=fab]iOS Before enabling FIDO authentication in your iOS apps you must complete the following tasks: * [Step 1. Associating your iOS app with your Advanced Identity Cloud or PingAM server](#ios-site-association) * [Step 2. Configuring authentication journeys for FIDO on iOS](#ios-fido-journeys) ## Step 1. Associating your iOS app with your Advanced Identity Cloud or PingAM server You can create an `apple-app-site-association` file that creates a secure association between your domain and your app. This allows you to share credentials, and use universal links to open your app from your website. To create the secure association, you upload the `apple-app-site-association` file to your domain, and add matching Associated Domains Entitlement keys to your app. ### Preparing a site association file 1. Prepare a JSON-formatted file named `apple-app-site-association`, as shown below. Ensure you include the `webcredentials` entitlement ```json { "applinks": { "details": [ { "appIDs": [ "XXXXXXXXXX.com.example.AppName" ], "components": [ { "/": "/reset/*", "comment": "Success after reset password journey" } ] } ] }, "webcredentials": { "apps": [ "XXXXXXXXXX.com.example.AppName" ] } } ``` 2. Replace *XXXXXXXXXX.com.example.AppName* with the app ID of your client iOS application. Learn more in [Supporting associated domains](https://developer.apple.com/documentation/xcode/supporting-associated-domains) in the Apple Developer documentation. ### Hosting apple-app-site-association files in Advanced Identity Cloud or PingAM * For **PingOne Advanced Identity Cloud** deployments, refer to [Upload an iOS apple-app-site-association file](https://docs.pingidentity.com/pingoneaic/latest/end-user/upload-ios-apple-app-site-association.html). * For self-managed **PingAM** deployments, host the file at `https:///.well-known/apple-app-site-association`. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Make a note of the domain where you uploaded the file, as you'll need to [add matching Associated Domains Entitlement keys to your iOS project](ios-fido-auth-journey.html#ios-fido-entitlements). | ## Step 2. Configuring authentication journeys for FIDO on iOS ### Configure authentication journeys for FIDO2 on iOS Authentication journeys for FIDO primarily use these nodes: * WebAuthn Registration Node Handles the creation and storage of new passkeys. * WebAuthn Authentication Node Manages the sign-in process by issuing and verifying challenges. Learn more about creating authentication journeys for FIDO in [Journeys for WebAuthn](https://docs.pingidentity.com/pingoneaic/latest/am-authentication/authn-mfa-webauthn.html#authn-mfa-web-authn). To prepare your authentication journeys to use FIDO with an iOS application, you need to configure each **WebAuthn Registration node** and **WebAuthn Authentication node** in your authentication journey to work with your iOS app. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You must use the same configuration values in each **WebAuthn Registration node** and **WebAuthn Authentication node** in the journey.Any mismatches in configuration between these nodes will cause authentication to fail. | * Each WebAuthn Registration node and WebAuthn Authentication node 1. In Origin domains: 1. To enable Passkey support, add the fully-qualified domain name of the Advanced Identity Cloud or PingAM instance as an origin domain. For example, `https://openam-docs.forgeblocks.com`. 2. Ensure the Return challenge as JavaScript option is **not enabled**. The SDK expects a JSON response from these nodes, enabling this option would cause the journey to fail. 3. In Relying party identifier, enter the domain hosting the `apple-app-site-association` file you create and uploaded. For example, `openam-docs.forgeblocks.com` You do not need the protocol or the path. * Every WebAuthn Registration node 1. In Accepted signing algorithms, include one or more of `ES256` and `RS256`. 2. Ensure the Limit registrations option is **not enabled**. The result will resemble the following: ![aic fido journey properties](../../../../_images/fido/aic-fido-journey-properties.png)Figure 1. Example WebAuthn Registration node iOS configuration ## Next steps You can now proceed to [Integrating FIDO auth journeys in iOS](ios-fido-auth-journey.html).