--- title: SSO to the PingOne for Enterprise admin portal with multi-factor authentication description: If you have configured single sign-on (SSO) to the admin portal, you can improve security by requiring multi-factor authentication (MFA) using PingID. component: pingoneforenterprise page_id: pingoneforenterprise:pingone_for_enterprise:p14e_sso_admin_portal_mfa canonical_url: https://docs.pingidentity.com/pingoneforenterprise/pingone_for_enterprise/p14e_sso_admin_portal_mfa.html revdate: December 6, 2022 section_ids: before-you-begin: Before you begin about-this-task: About this task steps: Steps choose-from: Choose from: next-steps: Next steps --- # SSO to the PingOne for Enterprise admin portal with multi-factor authentication If you have configured single sign-on (SSO) *(tooltip: \
\

The process of authenticating an identity (signing on) at one website (usually with a user ID and password) and then accessing resources secured by other domains without reauthenticating.\

\
)* to the admin portal, you can improve security by requiring multi-factor authentication (MFA) *(tooltip: \
\

An electronic authentication method where a user is granted access only after presenting two or more verification factors for authentication.\

\
)* using PingID. ## Before you begin You must complete the following: * [Configuring SSO to the PingOne for Enterprise admin portal](p14e_configuring_sso_p14e_admin_portal.html) * [Configure PingID authentication](https://docs.pingidentity.com/pingid/pingid_service_management/pid_configuring_app_group_authentication_policy.html) | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | MFA to the PingOne for Enterprise admin portal is enforced through PingOne for Enterprise, so even if you've configured PingFederate for PingID authentication, you still need to enable a PingOne for Enterprise authentication policy for PingID.Learn more in [Create or update an authentication policy](p14e_create_update_authentication_policy.html). | ## About this task | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If the username your administrator uses for SSO to the admin console differs from the email address they use for PingOne for Enterprise, PingID treats that username as a separate identity.You can streamline the admin SSO experience with the following recommended configuration:1) Configure SSO for administrators. For more information, see [Configuring SSO to the PingOne for Enterprise admin portal](p14e_configuring_sso_p14e_admin_portal.html). 2) Remove administrative users who use an email rather than a username for sign on. If necessary, create new administrative users and select the **SSO Admin** checkbox. For more information, see [Assign administrative roles](p14e_assign_administrative_roles.html). 3) When enabling MFA (see step 7 below), select **SSO Username**as the SSO method for admin users.If your admin users' usernames are the same as the email address that they use to sign on to the admin portal, you can ignore this configuration because usernames will be the same for PingID. | ## Steps 1. In the PingOne for Enterprise admin portal, go to **Setup > Authentication Policy**. 2. Click **Edit**. 3. Select **Enable authentication policy**. 4. On the **Apply policy to** line, click **Selected groups** and select the checkboxes of the groups assigned as administrative groups. | | | | - | ---------------------------------------------------------------------------------------- | | | To improve security, click **All cases** to require all users to authenticate using MFA. | 5. Select the **Apply authentication policy to PingOne Admin Portal** checkbox. 6. **Optional:** In the **Do not apply authentication policy to** list, select an administrator. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Exempting a designated administrator from the authentication policy allows that administrator to sign on to the admin portal in case of problems with PingID. | 7. In the **PingID username attribute for SSO admins** line, select an SSO method for administrators: ### Choose from: * **SSO Username**: Administrators sign on using their username and PingID devices as they would to sign on to the PingOne Dock. * **Email**: Administrators sign on using their email address and PingID devices as they would to sign on to the admin portal. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Selecting **Email** is not recommended unless you intend for admins to sign on through SSO as well as directly using their email and password. This will usually require admins to maintain a second set of PingID devices specifically for admin access. | 8. Select the **Apply to all sign-on attempts** checkbox. 9. Click **Save**. ## Next steps If you want to configure an advanced PingID authentication policy for your administrative users, see [Configuring an app or group-specific authentication policy](https://docs.pingidentity.com/pingid/pingid_service_management/pid_configuring_app_group_authentication_policy.html) in the PingID documentation.