Create a Provisioning Request

Prerequisites:  You have:

  • A valid license for the FIDO Provisioning service

    • To purchase new licenses or renew existing ones, contact your HID Account Manager.

  • The Administrator or Device Service Administrator role, or at least the Create Request privilege

Install the FIDO Provisioning Application

Prerequisites: You have:

  • Administrator rights to install and use the application on the workstation

  • The Administrator , Device Service Administrator or View Only role, or at least the Downloads privilege

  1. Sign in to Customer Central.

  2. Select Downloads downloads icon in the left menu.

    Passkey Management Downloads

  3. Click DOWNLOAD for the FIDO Provisioning application.

  4. Double-click the .msix file to launch the setup.

    Install FIDO Provisioning app

  5. Click Install.

    FIDO Provisioning app ready

  6. Click Launch to test the application installed correctly.

    The following message is displayed.

    FIDO Provisioning app operation not supported

  7. Close the application.

Create a Provisioning Request

Prerequisites: Before creating a provisioning request, you must:

  • Configure the connection to your user directory

  • Have the Administrator or Device Service Administrator role, or at least the Create Request privilege

  • Install the FIDO Provisioning application if you intend to enroll the FIDO devices for your users immediately after creating the request

    Note: You must have administrator rights to install and use the application on the workstation.

  • For manual provisioning, you have:

    • Have the devices available for provisioning

    • Connected a smart card reader to the workstation

  • For automatic provisioning, you have:

    • Set up the printer

    • Loaded the cards into the printer's hopper, making sure there are enough cards to provision all the users in the request

      Note: Depending on the printer's capacity, you might need to reload the hopper during the provisioning process.

If these conditions are not met, you cannot create a request and provision devices.

  1. Sign in to Customer Central.

  2. Expand Passkey Management Passkey Management icon in the left menu and select Provisioning.

    Passkey Management prerequisites

  3. Click NEW REQUEST.

    Passkey Management Create request

  4. Enter a name for the request.

  5. Select the Directory configuration from the drop-down list.

    Create provisioning request directory configuration

  6. For PingOne directories only, select the required authentication policy.

  7. Click CONTINUE.

    Passkey Management Add request users

  8. Select the users required for the request by moving them from the Available to Selected list using the arrow.

    You can also filter the list by searching for users by name.

  9. Click CONTINUE.

    Passkey Management request PIN mode

  10. Select the PIN configuration and click CONTINUE:

    • Random - a random 6-digit PIN will be generated for each device

    • Static - enter a PIN that will be assigned to all the devices

      Passkey Management request static PIN

      The PIN must meet the following conditions:

      • Minimum length - 6 alphanumeric characters

      • Maximum length - 63 alphanumeric characters

    Passkey Management request summary

  11. Review the request details and click Edit to modify the section settings if necessary.

  12. Click Provision Now to create the request.

    Passkey Management request creation progress

    Passkey Management request creation ok

If you do not want to enroll the devices immediately, click Cancel. You can complete the enrollment by provisioning the request later.

  1. When prompted, click Open FIDO Provisioning to launch the application and enroll devices for your users.

    Note:

    • If the prompt does not display, verify that the application is correctly installed and then Provision a Pending Request

    • As the application requires administration rights, you might be prompted to allow the required permissions on your machine

    Passkey Management provisioning modes

  2. Select the mode and click CONTINUE:

Note: If required, you can switch modes during provisioning.

Provision Devices Manually

The application loads the required user information and displays the details of the first user detected in the request.

Passkey Management provision user

  1. Insert the FIDO device into the machine's USB port or place/insert the FIDO smart card into the reader.

    The application detects the device and displays the information.

    Note: The application only manages one device at a time (the last device detected) even if multiple devices are connected.

    Provisioning details

  2. Verify that the provisioning information is correct for the user and device.

    If necessary, you can also:

    • Click SKIP USER to proceed to the next user in the provisioning request

    • Remove the device from the reader or USB port and select another device for the currently selected user

  3. Click PROVISION.

    Provisioning successful message

    Note: If you are provisioning a Crescendo Key in USB mode, press the button (flashing orange) to validate the operation.

  4. If the application detects that the device is already provisioned, click one of the following options:

    Device is in the Customer Central inventory

    • NEXT USER - proceed to the next user in the provisioning request

    • TRY NEW DEVICE - select another device to provision to the currently selected user

    • RESET AND PROVISION - reset the device and provision it to the currently selected user

      Important:

      • Before resetting the device, confirm that any stored credentials are no longer needed, as they will be permanently deleted

      • You cannot reset a FIDO device if its PIN is locked

      • If the reset does not work, remove device from the reader and then re-insert or tap again

      • You can only reset a Crescendo Key in USB mode and you must press the button (flashing orange) to validate the reset and provisioning operations

        Reset is not supported in contactless mode.

  5. After the success message is displayed, remove the device from the reader or USB port.

    The application proceeds to the provisioning for the next user in the request.

  6. Repeat the above steps for all the users.

    When the final user is provisioned, the completed message is displayed.

    Provisioning completed message

  7. Click VIEW SUMMARY to review the request details.

    Provisioning user summary

    Category Description

    Failed

    The provisioning attempt failed due to an error during this session

    1. Download the report for the provisioning request and review the reason for the failure.

    2. If required, create a new provisioning request for the pending users.

    Skipped

    The provisioning attempt was not made as the user was skipped

    Run the provisioning request again.

  8. Then click CLOSE APPLICATION.

Provision Devices Automatically

The application displays the details of the detected printers:

Provisioning automatic printer selection

  1. Select the required printer.

    Provisioning automatic encoder selection

  2. Select the Encoder mode:

    • Contact

    • Contactless

    Note: The available encoder options depend on the configuration of the detected printer. If you are unsure which mode to use, select Contact.

    For further information, refer to the corresponding user guide for the printer available from the HID Document Library.

    Provisioning printer ready

  3. Click CONTINUE.

    The application loads the required user information and displays the details of the first user detected in the request.

    Provisioning automatic user

  4. Verify that the provisioning information is correct for the user.

  5. Click START PROVISIONING.

    Important: Do not connect any other devices to your workstation during the provisioning to avoid process interruptions or failures.

    The application displays the status of the device provisioning for the user before proceeding to the next user in the request.

    Provisioning automatic next user

    Note: If an error occurs, a notification is displayed. For example:

    Provisioning automatic error message

    For further details and resolution suggestions, see Troubleshooting.

    When the final user is provisioned, the completed message is displayed.

    Provisioning request automatic completed

    The provisioned card is ejected by the printer.

  1. Click VIEW SUMMARY to review the request details.

    Provisioning automatic summary

    Category Description
    Total Users The total number of users from the Provisioning Request
    Successfully Provisioned The number of users successfully provisioned during this session

    Failed

    The number of users that were attempted but failed to provision due to an error during this session

    1. Download the report for the provisioning request and review the reason for the failure.

    2. If required, create a new provisioning request for the remaining users.

    Pending

    The total number of users not yet provisioned because the job was halted due to an error

    Unlike failed provisioning, these user accounts have not been attempted

    Run the provisioning request again. If the error persists, contact HID Technical Support.

  2. Then click CLOSE APPLICATION.

Verify the Device Enrollment

Microsoft Entra ID Users

  1. Log on to the Microsoft Entra admin center (https://entra.microsoft.com/#home) and, if necessary, switch to the required directory.

  2. Expand Identity in the left menu and select Applications.

  3. Select Enterprise applications and then your Passkey Management application.

  4. Under Manage, select Users and groups.

  5. Search for the users or groups for which you provisioned the devices and verify that the FIDO device is correctly registered as a credential.

    For example:

    Entra ID user with passkey

PingOne Users

  1. Log on to the PingIdentity console as an administrator for your PingOne environment.

  2. Expand Directory in the left menu and select Users.

  3. Search for the users or groups for which you provisioned the devices.

  4. Select a user and from the Services drop-down menu, select Authentication.

  5. Verify that the FIDO device is correctly registered as a credential.

    For example:

    Ping user with passkey