Configuring a sign-on policy
A sign-on policy dictates how the user’s identity will be verified when signing on to the system.
A multi-factor policy could require evidence to verify a user’s identity, such as a time-based one-time password (TOTP) authenticator app, FIDO2 biometrics, a push notification sent to the user’s mobile device, or a one-time passcode (OTP) sent over SMS, voice, or email. A sign-on policy could also be configured for device authorization, which takes place in the background and is transparent to the user.
You can set conditions that determine whether the policy will be applied. For example:
-
For certain populations, policy conditions can require that multi-factor authentication (MFA)is required for every sign-on.
-
For other populations, MFA is not required if the most recent sign-on occurred within a specified time limit.
-
If no conditions are specified, users are required to sign on every time they access the application.
The authentication flow is configured at the application level through a sign-on policy. If you don’t assign a sign-on policy to your web application, it uses the environment’s default sign-on policy. You can create multiple sign-on policies and associate them with different OIDC applications.
Policies are applied in the order in which they appear in the list. PingOne evaluates the first policy in the list first. If the requirements of the policy are not met, PingOne moves to the next policy in the list.
-
Console
-
API
Configuring a sign-on policy console
Steps
-
Go to Authentication → MFA.
-
Click Add Policy.
-
Enter an appropriate Policy Name.
Example:
For example,
MFA-only. -
In the Step Type list, select Multi-factor Authentication.
-
In MFA Policy, select a policy to specify which applications users can access and the ways in which they authenticate themselves.
For more information and additional configuration options, see Adding a multi-factor authentication step.
-
In None or Incompatible Methods:
Choose from:
-
Block. If the end user has no compatible MFA devices, then block the user from signing on.
-
Bypass. If the end user has no compatible MFA devices, then skip the MFA step.
-
-
Leave all the Required When options cleared so that this policy always triggers.
-
Click Save.
Next steps
Configuring a sign-on policy API alternative
About this task
Application developers can use the API operations to create a sign-on policy.
Use the access token generated through the worker app and follow the steps in Sign-on policies in the API reference.
Steps
-
Use the following
POSToperation to create the new sign-on policy:POST https://api.pingone.com/v1/environments/{{envId}}/signOnPolicies -
Use the following
POSToperation to set the new sign-on policy action type toMULTI_FACTOR_AUTHENTICATION:POST https://api.pingone.com/v1/environments/{{envId}}/signOnPolicies/{{policyID}}/actions