--- title: Creating or updating an authentication policy description: An authentication policy allows you to use PingID to provide multi-factor authentication (MFA) to the single sign-on (SSO) process for your users or for subsets of your users. component: pingid page_id: pingid:pingid_integrations:pid_creating_updating_authentication_policy canonical_url: http://docs.pingidentity.com/pingid/pingid_integrations/pid_creating_updating_authentication_policy.html revdate: April 21, 2026 section_ids: steps: Steps choose-from: Choose from: choose-from-2: Choose from: result: Result next-steps: Next steps --- # Creating or updating an authentication policy An authentication policy allows you to use PingID to provide multi-factor authentication (MFA) *(tooltip: \
\

An electronic authentication method where a user is granted access only after presenting two or more verification factors for authentication.\

\
)* to the single sign-on (SSO) *(tooltip: \
\

The process of authenticating an identity (signing on) at one website (usually with a user ID and password) and then accessing resources secured by other domains without reauthenticating.\

\
)* process for your users or for subsets of your users. By default, the policy is applied to all users and all applications, but you can select a filter to define the scope of the policy and assign the applications to include in the policy. The authentication policy is applied to any new SSO sessions for Security Assertion Markup Language (SAML) *(tooltip: \
\

A standard, XML-based, message-exchange framework enabling the secure transmittal of authentication tokens and other user attributes across domains.\

\
)* or OpenID Connect (OIDC) *(tooltip: \
\

An authentication protocol built on top of OAuth that authenticates users and enables clients (relying parties) of all types to request and receive information about authenticated sessions and users. OIDC is extensible, allowing clients to use optional features such as encryption of identity data, discovery of OpenID Providers (OAuth authorization servers), and session management.\

\
)* applications. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------- | | | Applications that were added to PingOne that use basic SSO or an SSO URL cannot be included in the authentication context for the policy. | After you enable your PingOne authentication policy, it works in conjunction with any PingID policies you want to configure. For more information, see [PingID policy settings](../pingid_service_management/pid_policy_settings.html). | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | If you change the identity bridge you're using, this can break any group filtering you include in your authentication policy. In this case, you must update your group assignments on the User Groups page and change the group filtering for your policy. Learn more in [Authorize group access to applications](http://docs.pingidentity.com/pingoneforenterprise/pingone_for_enterprise/p14e_authorize_group_access_applications.html). | ## Steps 1. Go to **Setup > Authentication Policy**. 2. Select **Enable Authentication Policy**. 3. **Required:** Select PingID as the authentication provider to use for the policy. If you don't select PingID, no PingID policies are applied for PingOne SSO. 4. In the **Authentication Filter** section, select one of the **Apply policy to** options: ### Choose from: * Click **All cases** to apply the policy to all users. * Click **Selected groups** to apply the authentication policy only to users who are members of the selected groups. | | | | - | ------------------------------------------------------------------------------------ | | | Don't use the underscore (\_) or percent (%) characters in your search filter entry. | * Click **All IPs except** to apply the authentication policy to all users except those whose IP address is in the list or block of IP addresses that you specify. The addresses must be IPv4 addresses in dot-decimal format (123.123.123.123) or an IPv4 address block in CIDR format (123.123.123.0/24). 5. In the **PingOne Admin Portal Configuration** section, select whether you want the policy to be applied to the PingOne admin portal. | | | | - | --------------------------------------------------------------------------------------------------------------------- | | | This option is displayed only if you've upgraded to the new PingOne dock. Go to **Setup > Dock** to upgrade the dock. | If you choose to apply the policy to the admin portal, you can also select the email address of a PingOne administrator for whom the policy does not apply. This administrator can bypass any authentication policy applied to the admin portal. Sign-on credentials for the admin portal are required for the administrator. 6. In the **Authentication Policy Context** section, specify the context where the policy will be applied. ### Choose from: * If you want to prompt MFA *(tooltip: \
\

An electronic authentication method where a user is granted access only after presenting two or more verification factors for authentication.\

\
)* for all user attempts to SSO to SAML applications, select the **Apply to all sign-on attempts** option. * If you want to prompt MFA only for specific applications, clear the **Apply to all sign-on attempts** option, and then under **Apply on application launch**, select the applications for which MFA should be triggered. If you have many applications, you can use the filter box to reduce the number of applications that are displayed in the list. The policy will only be applied to the applications that you select and to those you add with the **Force MFA** setting enabled. Learn more in [Managing applications](http://docs.pingidentity.com/pingoneforenterprise/pingone_for_enterprise/p14e_managing_applications.html) in the PingOne for Enterprise documentation. 7. Click **Save**. ## Result The authentication policy is applied to all new user SSO sessions. ## Next steps * You can configure PingID policies to further refine your secondary level of authentication. For more information, see [Web authentication policy configuration](../pingid_service_management/pid_web_authentication_policy_configuration.html). * Learn more about applying the authentication policy to the admin portal in [SSO to the PingOne admin portal with multi-factor authentication](http://docs.pingidentity.com/pingoneforenterprise/pingone_for_enterprise/p14e_sso_admin_portal_mfa.html) in the PingOne for Enterprise documentation. * Learn more about using the PingFederate identity bridge in [SSO to the PingOne admin portal from PingFederate](http://docs.pingidentity.com/pingoneforenterprise/pingone_for_enterprise/p14e_sso_p14e_admin_portal_pingfed.html) in the PingOne for Enterprise documentation.