--- title: Adding an experience - Identity Provider First (early access) description: Quickly add an Identity Provider First experience in the PingOne Design Center. component: pingone page_id: pingone:early-access-features:ea-p1_design_center_add_experience_idp_first canonical_url: https://docs.pingidentity.com/pingone/early-access-features/ea-p1_design_center_add_experience_idp_first.html revdate: March 5, 2026 section_ids: before-you-begin: Before you begin steps: Steps result: Result --- # Adding an experience - Identity Provider First (early access) You can add sign-on experiences from the PingOne **Design Center** page. The **Identity Provider First** experience allows users to access your applications by bypassing the PingOne sign-on prompt and authenticating directly with the external identity provider (IdP). PingOne provides multi-factor authentication (MFA). ## Before you begin You must have the Environment Admin role or a custom role with equivalent permissions to add experiences. You must have at least one external IdP configured in your environment to select this experience. Learn more in [External IdPs](../integrations/p1_external_idps.html). ## Steps 1. In the PingOne admin console, go to **Orchestration > Design Center** and click the **Plus** icon ([icon: plus, set=fa]). 2. On the **Choose a Sign-On Pattern** page, click **Identity Provider First**, then click **Next**. ![A screenshot of the Choose a Sign-on Pattern page with the Identity Provider First sign-on pattern selected. The right panel shows a preview of the experience you're building.](_images/p1-experiences-choose-sign-on-type-idp.png) You configure the experience using controls in the left pane. As you update your configuration, the **Preview** pane on the right updates to display a visualization of the experience you're building. 3. On the **Details** tab, enter a name and description for the experience, then click **Next**. 4. On the **First Factor** tab, in the **Redirect-Based Sign-In** section, select an IdP in the list and click **Add Identity Provider**. ![A screenshot of the First Factor tab for an Identity Provider First experience. An Identity Provider is being added in the Redirect-Based Sign-In section.](_images/p1-experiences-idp-first-first-factor.png) 5. (Optional) Click the **More Options** (⋮) icon and select **Edit Identity Provider** to view and edit the IdP in a new tab, or click **Remove** to remove the IdP from the list. 6. Select the **Session Timeout** option to require users to reauthenticate after the specified time period. After you select this option, configure the time period by selecting a number and a unit of time in the **Authentication Timeout** fields. For example, if you select **4 Hours**, users must sign on again if their last sign-on was more than 4 hours ago. ![A screenshot of the Session Timeout option. The Session Timeout option is selected, and the Authentication Timeout is set to 4 hours.](_images/p1-design-center-session-to.png) | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you configure PingOne Protect features in your experience, this setting might be overridden based on the risk policy selected and whether a potential security risk is indicated. Learn more in [Risk policies](../threat_protection_using_pingone_protect/p1_protect_risk_policies.html). | 7. Click **Next**. 8. (Optional) On the **MFA and Security** tab, select **Enable Multi-Factor Authentication** to require MFA in the experience, then configure the MFA settings: | Method | Description | | ------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Multi-Factor Authentication** | Select one of the following two options for MFA:* **Adaptive MFA (Risk-based)** Applicable only to environments that include PingOne Protect. After you select this option, select a risk policy in the **Policy to Evaluate** list. Based on the selected policy, risk signals are evaluated to determine whether to require users to complete an MFA step. For example, the policy might require MFA only when a user is signing on from a new device or location. This list only shows risk policies that include a mitigation rule configured to support MFA. The Returned Action for the mitigation must be one of the following: Deny: Don't allow the user to sign on if the risk policy is triggered. MFA: Prompt the user to complete an MFA step if the risk policy is triggered. Approve: Allow the user to sign on without requiring MFA even if the risk policy is triggered. Learn more in [Risk policies](../threat_protection_using_pingone_protect/p1_protect_risk_policies.html).- **Standard MFA** You must have at least one MFA policy configured in the environment to use this option. After you select this option, select an MFA policy in the **Policy to Evaluate** list. Based on the policy, users must confirm their identity during sign on using a second factor enabled in the policy. Learn more in [Configuring an MFA policy for strong authentication](../strong_authentication_mfa/p1_creating_an_mfa_policy_for_strong_auth.html).![A screenshot of the Multi-factor Authentication section. The Adaptive MFA (Risk-based) option is selected.](_images/p1-experiences-mfa-security-options.png) | | **MFA Session Timeout** | Select to require users to complete MFA again after a specified time period. This option is independent of the **Session Timeout** option, which determines when users must reauthenticate with their primary credentials. With **MFA Session Timeout** enabled, users must complete an MFA step again if their session exceeds the specified time period.After you select this option, configure the time period by selecting a number and a unit of time in the **MFA Session Timeout** fields. For example, if you select **12 Hours**, users must complete an MFA step again if their last MFA prompt was completed more than 12 hours ago.![A screenshot of the MFA Session Timeout options in Design Center. The timeout is set to 12 Hours.](_images/p1-design-center-mfa-session-to.png) If you've enabled adaptive (risk-based) MFA in the experience, the risk policy might override this setting based on the policy settings and whether or not a potential security risk is indicated. Learn more in Risk policies. | | **MFA Enrollment** | Select to allow users to sign on with just their username and password, but then require them to configure a second authentication method, such as a passkey or one-time passcode (OTP).After you select this option, select the applicable MFA policy from the **Policy to Evaluate** list. Allowed methods are determined by the MFA policy you select.To require users to enroll in MFA during sign-on, select the **MFA Enrollment Required** checkbox. If disabled, users who didn't enroll an MFA device during registration are prompted to enroll during their next authentication. | 9. Click **Next**. 10. On the **Summary** tab, review the selections you've made for your authentication experience. 11. Click **Save**. ## Result After you save the experience, you're returned to the **Design Center** and the following occurs: * The new experience is available in the list of available experiences in the **Design Center**. You can edit, duplicate, or delete experiences from this list. ![A screenshot of the Design Center page showing the list of three available experiences and the More Options menu.](_images/p1-design-center-list-experiences-with-menu.png) * The unique read-only sign-on and registration forms for the experience are listed in the **Design Center Forms** section of the **DaVinci Forms** page. You can view the forms, but you can't edit them directly. If you want to customize the forms, you can duplicate them and edit the copies. Learn more in [Forms](../user_experience/p1_forms.html). ![A screenshot of the Forms page showing the read-only forms for experiences.](_images/p1-design-center-read-only-forms.png) | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | If you created an **Identity Provider First** experience or another experience for which you didn't enable registration, there won't be a registration form. | Additional read-only forms are created and shared across experiences. * The experience is available on the **Policies** tab for applications as a DaVinci flow policy that you can assign to the application. Learn more in [Authentication policies for applications](../applications/p1_auth_policies_for_applications.html) and [Applying authentication policies to an application](../applications/p1_apply_auth_policy_to_applications.html). ![A screenshot of the DaVinci Policies tab for an application showing several experiences which are outlined with a red box.](_images/p1-experiences-in-app-for-policy-selection.png) * The experience is available in the PingOne DaVinci admin console as a read-only DaVinci flow. If you want to view the flow, you can click **DaVinci** in the PingOne sidebar to open the DaVinci admin console, and then click **Flows**. The applicable flows include a **Design Center** label. If you want to refine your experience further to use it for more complex use cases, you can clone and edit the flow in DaVinci. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You must have the DaVinci Admin role or a custom role with equivalent permissions to clone and customize these flows. If you only want to view the flow, you can have the DaVinci Admin Read Only role or a custom role with equivalent permissions. | Learn more in [Cloning a flow](https://docs.pingidentity.com/davinci/flows/davinci_cloning_a_flow.html) and [How to manage flows](https://docs.pingidentity.com/davinci/flows/davinci_how_to_manage_existing_flows.html) in the DaVinci documentation. ![A screenshot of the DaVinci admin console showing two read-only flows for experiences.](_images/p1-experiences-read-only-flow-in-dv.png)