--- title: Authentication policies description: Authentication policies are an optional configuration in PingFederate and help administrators implement complex authentication requirements. component: pingfederate version: 13.0 page_id: pingfederate:administrators_reference_guide:pf_authentication_policies canonical_url: https://docs.pingidentity.com/pingfederate/13.0/administrators_reference_guide/pf_authentication_policies.html revdate: July 10, 2024 section_ids: processing-steps: Processing steps --- # Authentication policies Authentication policies are an optional configuration in PingFederate and help administrators implement complex authentication requirements. Administrators can configure one or more authentication selector instances to evaluate conditions of the requests and define policies to route the request to a series of approved authentication sources or deny the request based on the results from the authentication selector instances, authentication sources, or both. Administrators can also reuse an authentication policy by ending it with an authentication policy contract or a local identity profile and applying the authentication policy contract in multiple use cases. ![A diagram of the OIDC, OAuth, and SAML authentication policies work flow. For details read the processing steps.](_images/htz1640120892931.png) ## Processing steps 1. A client initiated authentication request is sent to PingFederate. 2. PingFederate evaluates the authentication policy, which defines the decision to route a request through a series of approved authentication sources. 3. The authentication policy is [mapped](pf_mapp_auth_policy.html) to the [policy contract](pf_policy_contracts.html). 4. The authentication policy determines how the user signs on and drives the authentication experience, such as form-based authentication, Kerberos authentication, or multi-factor authentication (MFA) *(tooltip: \
\

An electronic authentication method where a user is granted access only after presenting two or more verification factors for authentication.\

\
)*. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | PingFederate can enforce authentication policies based on the requesting OAuth client as well as only enforce policy rules for authentication policy contract branches that are mapped to an access token manager (ATM). Learn more in [Policies](qmq1564002987890.html). | 5. For an OIDC/OAuth flow, the policy contract checks the attribute contract connected to authentication sources or datastores, or for a SAML connection, the policy contract checks the SAML connection tied to the policy contract. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | For an OIDC authentication flow, you must set up an OIDC application in PingFederate. Learn more in [Setting up an OIDC application in PingFederate](https://docs.pingidentity.com/solution-guides/customer_use_cases/htg_oidc_app_setup_pf.html). | 6. The authentication request either succeeds or fails based on the results of the policy evaluation and authentication requirements.