By default, the policy is applied to all users and all applications, but you can select a filter to define the scope of the policy and assign the applications to include in the policy.

The authentication policy is applied to any new SSO sessions for SAML or OpenID Connect (OIDC) applications.


Applications that have been added to PingOne that use basic SSO or an SSO URL cannot be included in the authentication context for the policy.

After you enable your PingOne authentication policy, it works in conjunction with any PingID policies you want to configure. For more information, see PingID policy settings.


If you change the identity bridge you're using, this can break any group filtering you include in your authentication policy. In this case, you must update your group assignments on the User Groups page and change the group filtering for your policy. For more information, see Authorize group access to applications.

  1. Go to Setup > Authentication Policy.
  2. Select Enable Authentication Policy.
  3. Required: Select PingID as the authentication provider to use for the policy.
    If you don't select PingID, no PingID policies are applied for PingOne SSO.
  4. In the Authentication Filter section, select one of the Apply policy to options:
    • Click All cases to apply the policy to all users.
    • Click Selected groups to apply the authentication policy only to users who are members of the selected groups.

      Do not use the underscore (_) or percent (%) characters in your search filter entry.

    • Click All IPs except to apply the authentication policy to all users except those whose IP address is in the list or block of IP addresses that you specify. The addresses must be IPv4 addresses in dot-decimal format ( or an IPv4 address block in CIDR format (
  5. In the PingOne Admin Portal Configuration section, select whether you want the policy to be applied to the PingOne admin portal.

    This option is displayed only if you've upgraded to the new PingOne dock. Go to Setup > Dock to upgrade the dock.

    If you choose to apply the policy to the admin portal, you can also select the email address of a PingOne administrator for whom the policy does not apply.

    This administrator can bypass any authentication policy applied to the admin portal. Sign-on credentials for the admin portal are required for the administrator.

  6. In the Authentication Policy Context section, specify the context where the policy will be applied.
    • If you want to prompt MFA for all user attempts to SSO to SAML applications, select the Apply to all sign-on attempts option.
    • If you want to prompt MFA only for specific applications, clear the Apply to all sign-on attempts option, and then under Apply on application launch, select the applications for which MFA should be triggered. If you have many applications, you can use the filter box to reduce the number of applications that are displayed in the list. The policy will only be applied to the applications that you select and to those you add with the Force MFA setting enabled. For more information, see Managing applications.
  7. Click Save.

The authentication policy is applied to all new user SSO sessions.