Policy Evaluation

Policies are evaluated in the order in which they appear in the list on the Policy page as follows:

  • The PingID policy service evaluates the first policy in the list on the Policy page and verifies whether the policy conditions are met. For example, if the user is trying to access one of the apps or is a member of one of the groups specified in the policy.
    • If the policy conditions are met, the PingID policy service does not evaluate any further policies and starts to evaluate the rules within the policy, as described in the next section.
    • If the policy conditions are not met, the PingID policy service evaluates the next policy that appears in the policy list.
    • If none of the policies were met, the default policy is applied.
    Note: If prompt user to select is enabled, there are some situations in which the user will be able to select a device with which to authenticate, but the policy applied to the organization will prevent the user from authenticating with the selected device, causing the user to be blocked.

Rule Evaluation

Once the policy conditions are met, the PingID policy service evaluates policy rules as follows:

  • The PingID policy service evaluates the first rule in the policy and verifies whether the rule conditions are met. For example, for the Specific Countries rule, is the user signing on from one of the defined locations?
    • If the rule conditions are met, the PingID policy service does not evaluate any further rules, and the rule action is applied.
    • If the rule conditions are not met, or the information required is not available, such as the location, the PingID policy service evaluates the next rule in the policy rule list.
    • If none of the rule conditions are met or the information required is not available, such as the location, the default action is applied.

Consideration for users with multiple devices

If a user has more than one device paired with their account:

  • If the primary device is disallowed by a rule action, the user is only allowed to authenticate if their secondary device is permitted in the rule action.
  • If the user's primary device is allowed by the policy and:
    • Rule action permits the primary device: the user is prompted to authenticate using the primary device.
    • Rule action requires a different device: the user is prompted to authenticate using the device specified. If the device required is not paired then the user is denied access.
  • If the user's primary device is not allowed by the policy, and they have only one secondary device:
    • If the secondary device is allowed by the policy and rule action, the secondary device is selected automatically.
    • If the secondary device is not allowed either at policy or rule level, authentication is denied.

Considerations for users working on a shared accessing device

The PingID policy supports multiple users working on the same accessing device. Policy information is stored on the device per user. This enables PingID to evaluate users more accurately for policies, such as Recent authentication, per user for that device.

For example:

If User A signs on at 9a.m., and User B signs on to the same device at 11a.m., and the organization employs a recent authentication rule that does not require authentication within 6 hours of authentication, the recent authentication is calculated from 9am for User A, and from 11am for User B.

Note:

For Windows login, the PingID policy supports multiple users accessing the same device on a Windows login machine, however, the policy information is overridden each time the user signs on successfully.

Considerations for users working with more than one organization

The PingID policy supports a single user with multiple organizations and can distinguish between a user that is accessing more than one organization from the same accessing device. Policy information is stored on the device per user. This enables the PingID policy to evaluate users more accurately and consider users more accurately for policies, such as Recent authentication, per organization.

For example:

If a user signs on to Organization Y at 9a.m. and Organization Z at 11a.m., and the organizations employ different recent authentication policies as follows:

  • Organization Y: Recent authentication within the last 30 minutes.
  • Organization Z: Recent authentication within the last 12 hours.

The user will be subject to the recent authentication policy of the organization that they are currently logged in to. In this example, they will need to authenticate again as follows:

  • Organization Y: If logging in, or accessing resources after 9.30am the same day.
  • Organization Z: If logging in, or accessing resources after 11pm the same day.
Note:

For Windows login, the PingID policy supports multiple users accessing the same device on a Windows login machine, however, the policy information is overridden each time the user signs on successfully.