You can require a user’s authenticating device to be in the company offices when signing on from within the company network. In addition, you can choose to silently authenticate the user without requiring active user intervention in the authentication process for in-network access.


To apply the PingID policy features that require IP address information, the client's IP address must be provided first. For more information, see Prerequisites: Pingfederate RADIUS server.

Note: To ensure location-based policies are applied, you must also ensure location collection is enabled at the organization level (see Enabling or disabling location collection).
  1. From within the relevant policy, click + Add Rule and from the Conditions list, select Accessing from company network.
    A screen capture of the + Add Rule list displaying the Accessing from company network option.
  2. From the Action list:
    • Approve: Approves access without requiring PingID authentication.
    • Authenticate: Allows a user to authenticate using any of the authentication methods allowed at the policy level.

      If more than one authentication method is available, the method initiated by default is the method most recently paired by the user that is authenticating.

    • Select a specific authentication method. The options listed are defined by those configured at policy level. For a description of each authentication type, see Rule authentication actions.
  3. In the IP Addresses field, enter a list of external IP addresses or ranges that belong to the company network.

    Enter the IP addresses or ranges using CIDR notation with each entry on its own line.

  4. To require a user's authenticating device to be in the company offices when signing on from within the company network, in the Authenticating Device In Company Offices field, click Enable and then define one or more company office locations.

    If you are defining a company office in addition to an IP address, in the Allowed Authentication Method section, select the Swipe, Mobile App Biometrics, or One-time passcode check box to define an authentication method to apply this rule.

    The Office Locations wizard opens, enabling you to define one or more office locations. If the authenticating device is located within one of the defined areas, it is considered to be inside a company office.
    A screen capture of the Authenticating Device In Company Offices section configuration.
  5. To define additional office locations:
    1. Click + Add office or enter an address in the search box.
      A blue circle appears on the map, defining the office area.
      A screen capture of the Authenticating Device In Company Offices policy configuration displaying the Office Locations section with a defined office location.
    2. Click center of the circle to edit the coordinates.

      A screen capture of the blue circle on a map defining the office area.
      • To reposition the circle, click and drag the white dot at the circle's center to the desired location.
      • To resize the circle, click and drag any white dot on the circle's rim.
      • To add another office location, click a location outside the circle. A new circle is added.
    3. To edit an office location, click the Pencil icon () and edit the name.

      By default, the location is named after its street address.

      A screen capture of the Office Locations section listing the defined office location by its street name.
    4. To delete an office address, click the Minus icon ( ).

    If you edit or delete offices in the Office Locations list, changes are applied to all rules that specify office locations.

  6. In the Policy list, click and drag the new rule and place it in the order in which you want it to be considered. Click Save Order.
  7. Click Save.
To ensure the policy is applied to your organization, go to PingID > Configuration and ensure Enforce Policy is set to Enabled.