---
title: Configuring a PingFederate policy for secondary authentication
description: PingID can serve as the secondary authentication source for PingFederate.
component: pingid
page_id: pingid:pingid_integrations:configuring_a_pf_policy_for_secondary_auth
canonical_url: http://docs.pingidentity.com/pingid/pingid_integrations/configuring_a_pf_policy_for_secondary_auth.html
revdate: January 25, 2026
section_ids:
  before-you-begin: Before you begin
  about-this-task: About this task
  steps: Steps
  result: Result:
  result-2: Result:
  result-3: Result:
  choose-from: Choose from:
---

# Configuring a PingFederate policy for secondary authentication

PingID can serve as the secondary authentication source for PingFederate.

## Before you begin

Before configuring PingID for secondary authentication:

* [Install the PingID Integration Kit](installing_the_pid_i_for_pf.html).

* [Download the PingID properties file](pid_pf.html).

* [Configure a PingID Adapter instance](configuring_a_pid_adapter_instance.html).

* If an identity provider (IdP) adapter for primary authentication wasn't created yet, create one. Learn more in [Configure an IdP adapter instance](http://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_configuring_idp_adapter_instance.html)).

* If you want to configure the application name or application icon, do so in PingFederate. Learn more in [Identify the target application](http://docs.pingidentity.com/pingfederate/12.3/administrators_reference_guide/pf_identifying_target_application.html) in the PingFederate documentation.

  |   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
  | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
  |   | Using a username and multi-factor authorization (MFA) method as your primary authentication method can expose users to security risks like username enumeration, MFA fatigue attacks, targeted phishing, and denial-of-service incidents. To reduce exposure use a passwordless method such as PingID desktop app or FIDO2 biometrics for primary authentication.- Learn how to implement a FIDO2 passwordless authentication flow in [Configuring a PingFederate policy for a consistent passwordless authentication experience](pid_configuring_pf_policy_for_passwordless_authentication.html)

  - Learn how to implement a passwordless flow using legacy methods in [(Legacy) Configuring a PingFederate policy for passwordless authentication with FIDO biometrics](pid_configuring_pf_policy_for_passwordless_authentication_fido_biometrics.html). |

## About this task

After creating the relevant IdP and PingID adapters, create a PingFederate policy contract, and then create a PingFederate policy for secondary authentication.

|   |                                                                                                                                                                                                                      |
| - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | If you're running PingFederate 9.0 or earlier, you'll need to create a composite adapter rather than a PingFederate policy. Learn more in [Configuring a composite adapter](pid_configuring_composite_adapter.html). |

## Steps

1. In PingFederate, create an Authentication Policy Contract.

   Learn more in [Managing policy contracts](http://docs.pingidentity.com/pingfederate/12.3/administrators_reference_guide/pf_managing_policy_contracts.html) in the PingFederate documentation.

   1. Go to **Authentication > Policies > Policy Contracts**.

   2. Click **Create New Contract**.

   3. In the **Contract Name** field, enter a name for the policy contract, and then click **Next**.

   4. On the **Contract Attributes** tab, for each attribute you want to add, type the name of the attribute and then click **Add**.

      You can find a list of PingID attributes in [PingID authentication attributes](pid_authentication_attributes.html).

   5. To advance to the **Summary** tab and to review the contract, click **Next**. Click **Save**.

2. Create a PingFederate authentication policy.

   Learn more in [Policies](http://docs.pingidentity.com/pingfederate/12.3/administrators_reference_guide/qmq1564002987890.html) in the PingFederate documentation.

   1. Go to **Authentication > Policies > Policies**.

   2. Select the **IdP Authentication Policies** box, and then click **Add Policy**.

   3. In the **Name** field, enter a meaningful name for the authentication policy.

   4. In the **Policy** list, select **IdP Adapters**, and then select your IdP Adapter from the list (for example, the HTML Form Adapter).

      ### Result:

      The IdP Adapter is added to the PingFederate policy tree.

   5. In this new branch, perform the following.

      * In the **Fail** list, select **Done**.

      * In the **Success** list, select **IdP Adapters**, and then select your PingID Adapter instance.

        ### Result:

        A new PingID Adapter branch is created under the **Success** list.

   6. Under the PingID Adapter branch field, click **Options**, and in the **Incoming User ID** window, perform the following.

      * In the **Source** list, select the IdP adapter.

      * In the **Attribute** list, select **username**.

      * Select the **User ID Authenticated** checkbox.

      * To close the window, click **Done**.

   7. In the new PingID Adapter branch, perform the following.

      * In the **Fail** list, select **Done**.

      * In the **Success** list, select **Policy Contract**, and then select the policy contract you created earlier.

   8. Under the PingID Adapter **Success** field, click **Contract Mapping**.

   9. Complete the relevant contract mapping.

      Learn more about contract mapping in [Configuring contract mapping](http://docs.pingidentity.com/pingfederate/12.3/administrators_reference_guide/pf_configuring_contract_mapping.html) in the PingFederate documentation. You can find a list of attributes that you can use upon successful authentication with PingID in [PingID authentication attributes](pid_authentication_attributes.html).

   10. To enable the policy, select the checkbox, and then click **Save**.

       ### Result:

       You return to the **Policy** window.

   11. Click **Done**.

3. Add any further configurations, for example:

   ### Choose from:

   * Configure Browser single sign-on (SSO). Learn more in [Configure IdP Browser SSO](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/help_spconnectionconfigtasklet_spbrowserssostate.html) in the PingFederate documentation.

   * Configure OAuth settings. Learn more in [OAuth configuration](http://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_oauth_config.html).