--- title: Create or update an authentication policy description: An authentication policy enables you to use PingID to provide a secondary level of authentication (multi-factor authentication) to the single sign-on (SSO) process for your users, or for some subset of your users. component: pingoneforenterprise page_id: pingoneforenterprise:pingone_for_enterprise:p14e_create_update_authentication_policy canonical_url: https://docs.pingidentity.com/pingoneforenterprise/pingone_for_enterprise/p14e_create_update_authentication_policy.html revdate: December 13, 2021 section_ids: about-this-task: About this task steps: Steps authentication-filter: Authentication Filter choose-from: Choose from: pingone-admin-portal-configuration: PingOne Admin Portal Configuration choose-from-2: Choose from: authentication-policy-context: Authentication Policy Context result: Result: next-steps: Next steps --- # Create or update an authentication policy An authentication policy enables you to use PingID to provide a secondary level of authentication (multi-factor authentication) to the single sign-on (SSO) process for your users, or for some subset of your users. ## About this task By default the policy is applied to all users and all applications, but you can filter the policy by user group, IP, and application. The authentication policy is applied to any new SSO sessions for SAML or OpenID Connect applications. Applications that have been added to PingOne for Enterprise that use Basic SSO or an SSO URL cannot be included in the authentication context for the policy. Once enabled, your PingOne for Enterprise authentication policy works in conjunction with any PingID policies you have configured. For more information, see [PingID policy overview](https://support.pingidentity.com/s/document-item?bundleId=pingid\&topicId=uty1564020451662.html). | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | Changing to a different identity bridge can break any group filtering you include in your authentication policy. In this case, you will need to update your group assignments at **Users > User Groups** and change the group filtering for your policy. For more information, see [Managing users by group](p14e_managing_users_by_group.html). | ## Steps 1. Go to **Setup > Authentication Policy**. 2. Select **Enable Authentication Policy**. 3. Select PingID as the authentication provider to use for the policy. If you don't select PingID here, no PingID policies will be applied for PingOne SSO. ## Authentication Filter 1. For **Apply policy to**, select a filter to define how the policy is to be applied: ### Choose from: * **Selected groups**. Applies the authentication policy only to users who are members of the selected groups. * **All IPs except**. Applies the authentication policy to all users except those whose IP address is specified or contained within a block of IP addresses. The addresses need to be IPv4 addresses in dot-decimal format (123.123.123.123), or an IPv4 address block in CIDR format (123.123.123.0/24). * **All cases**. Applies the policy to all users. This is the default option. ## PingOne Admin Portal Configuration 1. Select **Apply authentication policy to PingOne Admin Portal** to apply this policy to administrators who sign on through the PingOne admin portal. | | | | - | ----------------------------------------------------------------------------------------------------------------------------- | | | This option is displayed only if you've upgraded to the new PingOne dock. Go to **Dock > Configuration** to upgrade the dock. | 2. **Optional:** If you don't want to apply the policy to a specific user, such as a global administrator, select the user from the **Do not apply authentication to** dropdown list. 3. Select how you want SSO administrators to authenticate. ### Choose from: * Select **SSO username** to prompt SSO administrators to authenticate using the PingID factors required for SSO users. * Select **Email** to prompt SSO administrators to authenticate using the factors required for them to sign on to the admin portal. ## Authentication Policy Context 1. Select the **Apply to all sign-on attempts** box to apply the policy to all attempts to SSO to SAML applications. Clear the box to apply the policy only to select applications. When you select this option, you do not need to select applications for the **Apply on application launch** option. For more information, see [Configure an app or group-specific authentication policy](https://support.pingidentity.com/s/document-item?bundleId=pingid\&topicId=ytv1564020450829.html) in PingID documentation. 2. **Optional:** Enter a search term in the text box to filter application by name. | | | | - | ------------------------------------------------------------------------------------- | | | Do not use the underscore (\_) or percent (%) characters in your search filter entry. | 3. Select the checkboxes for the applications you want to apply the policy to at launch. You must select at least one application if you did not select **Apply to all sign-on attempts**. 4. Click **Save**. ### Result: The authentication policy is applied to all new user SSO sessions. ## Next steps You can now configure PingID policies to further refine your secondary level of authentication. For more information, see [Configure web authentication policy](https://support.pingidentity.com/s/document-item?bundleId=pingid\&topicId=vyd1564020452400.html). If want to apply the authentication policy to the admin portal, see [SSO to the PingOne for Enterprise admin portal with multi-factor authentication](p14e_sso_admin_portal_mfa.html). If you're using the PingFederate identity bridge, refer to [SSO to the PingOne for Enterprise admin portal from PingFederate](p14e_sso_p14e_admin_portal_pingfed.html).