Policy implementation requirements
The PingID Policy service evaluates policies and rules according to the order in which they are listed. For more information, see Viewing and reordering authentication policies.
If an application or group appears in more than one policy, only the rules in the first applicable policy listed are applied.
Allowed authentication methods are defined per policy and affect the rule actions that can be selected. For detailed information about the allowed authentication methods and their implementation, see Policy and rule authentication methods.
For web application policies:
-
PingFederate groups:
-
Use of PingFederate groups is only supported by PingID Adapter 2.1 or later.
-
To use PingFederate groups, enable the PingID Adapter Query Directory flag.
-
To ensure that no conflicts arise between policies, create and order policies carefully. This is of particular importance where users appear in more than one group. If a user or application appears in more than one policy, only the rules in the first applicable policy listed are applied.
-
PingFederate groups support LDAP groups, including OU’s and CN’s nested under OU’s.
-
PingFederate groups only support the use of a single LDAP domain per organization.
-
PingID policy supports authentication of users with a maximum of 1000 LDAP groups using the
MemberOf
attribute. If a user is included in more than 1000 LDAP groups, rules that relate to groups are not applied when authenticating that user. When authenticating a user with more than 1000 groups, PingID still considers rules that do not include groups. If no other rule applies, the default rule is applied.
-
-
PingFederate apps:
-
Using PingFederate apps requires the use of the PingID integration kit.
-
PingFederate apps are not included in the list automatically. You can add PingFederate applications to the applications list while creating a new policy. For more information, see Adding a PingFederate application.
-
-
PingOne for Enterprise applications through PingID:
To require users to authenticate using PingID when signing on to a PingOne for Enterprise application:
-
On the details page for the application, ensure that the Force MFA option is selected. For more information, see Add or update a SAML application.
-
In the Policy section on the PingID tab, apply the relevant authentication policy to the application.
-
When the organization requires biometrics authentication:
-
In the PingID Admin portal, go to Setup → PingID → Configuration, and in the Mobile App Authentication → Device Biometrics section, if Require is chosen, and the policy is different, then the policy settings override the general admin configuration settings.