An authentication policy allows you to use PingID to provide multi-factor authentication (MFA) to the single sign-on (SSO) process for your users or for subsets of your users.
By default, the policy is applied to all users and all applications, but you can select a filter to define the scope of the policy and assign the applications to include in the policy.
The authentication policy is applied to any new SSO sessions for SAML or OpenID Connect (OIDC) applications.
After you enable your PingOne authentication policy, it works in conjunction with any PingID policies you want to configure. For more information, see PingID policy settings.
If you change the identity bridge you're using, this can break any group filtering you include in your authentication policy. In this case, you must update your group assignments on the User Groups page and change the group filtering for your policy. For more information, see Authorize group access to applications.
- Go to .
- Select Enable Authentication Policy.
Select PingID as the authentication provider to
use for the policy.
If you don't select PingID, no PingID policies are applied for PingOne SSO.
In the Authentication Filter section, select one of the Apply policy
- Click All cases to apply the policy to all users.
- Click Selected groups to apply the authentication
policy only to users who are members of the selected groups. Note:
Do not use the underscore (_) or percent (%) characters in your search filter entry.
- Click All IPs except to apply the authentication policy to all users except those whose IP address is in the list or block of IP addresses that you specify. The addresses must be IPv4 addresses in dot-decimal format (188.8.131.52) or an IPv4 address block in CIDR format (184.108.40.206/24).
In the PingOne Admin Portal Configuration section, select whether you want the
policy to be applied to the PingOne admin portal.
This option is displayed only if you've upgraded to the new PingOne dock. Go toto upgrade the dock.
If you choose to apply the policy to the admin portal, you can also select the email address of a PingOne administrator for whom the policy does not apply.
This administrator can bypass any authentication policy applied to the admin portal. Sign-on credentials for the admin portal are required for the administrator.
In the Authentication Policy Context section, specify the context where the policy
will be applied.
- If you want to prompt MFA for all user attempts to SSO to SAML applications, select the Apply to all sign-on attempts option.
- If you want to prompt MFA only for specific applications, clear the Apply to all sign-on attempts option, and then under Apply on application launch, select the applications for which MFA should be triggered. If you have many applications, you can use the filter box to reduce the number of applications that are displayed in the list. The policy will only be applied to the applications that you select and to those you add with the Force MFA setting enabled. For more information, see Managing applications.
- Click Save.
- You can configure PingID policies to further refine your secondary level of authentication. For more information, see Web authentication policy configuration.
- If you are applying the authentication policy to the admin portal, see SSO to the PingOne admin portal with multi-factor authentication for further instructions.
- If you're using the PingFederate identity bridge, see SSO to the PingOne admin portal from PingFederate Bridge