Configure various policies that are tailor made for your system. For example, you can configure a policy for your HR group that applies to several sensitive HR-related apps only. You could create three different policies for a high security app, giving different authentication policies to the Management group, the General User group, and the Contractor group.

If an app or group is included in more than one policy, only the first policy in which it is listed will be applied. If no policy exists for a specific application when a user signs on and attempts to access that application, the global policy (default policy) is applied.


If you are interested in using the PingID API to create and update web authentication policies, see Web Authentication Policy API.

The following apps appear in the Policy Apps list by default:

  • AD FS: Enables you to apply an authentication policy to users when Microsoft AD FS is the identity provider (IdP). For more information, see Integrate PingID with AD FS.
  • Admin Portal: Enables you to apply an authentication policy to admins when accessing the admin portal.
  • Azure AD: Enables you to apply an authentication policy to users when Microsoft Azure AD is the IdP. For more information, see Integrate PingID with Azure AD.
  • Device Management: Enables you to apply an authentication policy to users when they authenticate to PingID's out of the box Devices page. The Devices page is used to add, remove, or change the devices a user has associated with their account. For more information, see Devices.
  • Password Reset: Enables you to apply an authentication policy to users requesting a password reset using the self-service password reset service from PingFederate. This service is accessed through the password reset link that appears on the sign on page when PingFederate is the IdP. For more information, see Configure self-service password reset.

The default policy is a global policy that defines the rules that will be applied to any application in your organization where an application-specific policy is not defined. For more information, see Configure a global authentication policy.

  1. In PingOne, go to Setup > PingID > Settings > Policy.
    A screen capture of the PingOne Policy page displaying the ordered list of all the existing policies.
  2. Click + Add Policy.

    The New Policy wizard opens.

  3. In the Name field, enter a name for the policy.
    A screen capture of the New Policy wizard configuration page displaying the Name field, Applications, Groups, and Methods sections.
  4. In the Applications section, use the controls to select the applications to which the policy should apply. You must select at least one application. By default, the list shows the applications that you have defined in PingOne. To add PingFederate applications to the list, click the Add Application button. For more information, see Adding a PingFederate application.
    • List display items are limited to 300 for Applications and Groups. Use the search box to search for a specific application or group.
    • The All Applications/Groups/Methods check box selects all existing items and automatically applies any additional items that are added to PingID in the future.

    App-specific policies require the PingID Adapter 1.4 or later.

  5. In the Groups section, select the check box for each group to which you want the policy to apply. You must select at least one group. If you want to apply the policy to all user groups, select the All Groups check box.

    If you are defining a policy that is also applicable to Windows login and want to make it applicable to only specific groups of users, keep the following points in mind:

    • The integration with Windows login must be through PingFederate.
    • You must be using version 2.4.2 or higher of the integration with Windows login.
    • You must have provided information for the Group attribute when configuring the PingID Adapter instance (see Configuring a PingID Adapter instance (Windows login)).
  6. In the Allowed Authentication Methods section:
    • Select one or more authentication methods that you want to make available for use in this policy.
    • Select the All Methods check box to permit the use of all existing configured authentication methods and automatically apply additional methods that are added to PingID in the future.

      Only the methods selected are permitted for use in this policy and available in the rule Actions list.


    If you are configuring a rule that is based on the PingID mobile app, Swipe, Mobile App Biometrics, Number matching or One-time passcode must be included as an allowed authentication method.

  7. To hide the authentication approval screen for PingID policy events in which the user is automatically approved and no challenge is sent to or requested from the user, clear the Show Approved Authentication check box.

    By default, this check box is selected.


    This option only applies to:

    • Relevant policy rules where the rule action Approve is selected.
    • PingID out of the box UI. It is not applicable to the PingID authentication API.
  8. In the Rules section, click + Add Rule for each rule that you want to add, and select the rule from the list.
    A screen capture of the Rules section.
  9. Configure the rules that you want to include in the policy:
  10. Within the policy, click and drag the rule to place it in the order you want it.

    If you have more than one rule in the policy, ensure that the rule appears in the order that you want it because this is the order that the rule will be executed.

  11. After you have added and configured all the rules you want to add, click Save.
  12. If more than one policy appears in the Policy list, click and drag the new policy and place it in the order that you want it to be considered. Click Save Order.

To ensure the policy is applied to your organization, go to PingID > Configuration and ensure Enforce Policy is set to Enabled.