SP authentication policies provide a means for you to impose authentication requirements on SP-initiated Browser SSO requests received at the /sp/startSSO.ping endpoint.

When you enabled this optional feature, you are creating policies that the PingFederate SP server can use to find the applicable SP adapter instance to access target applications. It is for this reason that you must configure the target applications to provide the SpSessionAuthnAdapterId parameter or the TargetResource parameter (or both) in their SP-initiated SSO requests. If you prefer to provide the TargetResource parameter without the SpSessionAuthnAdapterId parameter, you must configure one or more entries in the Service Provider > Target URL Mapping screen to map the TargetResource values to the applicable SP adapter instances.


SP authentication policies are only applicable to SP-initiated Browser SSO requests received at the /sp/startSSO.ping SP application endpoint. They are not applicable to unsolicited SSO requests received at the SP protocol endpoints.

It is also worth noting that enabling SP authentication policies does not enable authentication policies for IdP Browser SSO requests, adapter-to-adapter requests, and browser-based OAuth authorization code and implicit flows.

For more information and configuration steps, refer to the subsequent sample use cases.