1. Go to Authentication > Authentication.
  2. Click + Add Policy to create a new policy, or click the pencil icon to edit an existing one.
  3. Click + Add Step.
  4. From Step Type, select Identifier First.
  5. Enter or edit the recovery and registration settings.
    Enable account recovery
    In case of a forgotten password, users can recover their accounts with a one-time password sent over SMS or email.
    Enable registration
    Users can register their own accounts if a user record already exists. Select PingOne to provision users to the PingOne user store. Select External Link to provision users to an external user store. PingOne will direct users to the Registration Target URL for registration, but PingOne will still be used for authentication.
    Require confirmation of user information
    If registration is enabled, requires end users to confirm the data that is linked with the third-party identity provider. The end user will have an opportunity to edit the information that the third-party identity provider shares with PingOne, such as user name, email address, first name, and last name.
    Discovery rules
    Click +Add rule to add a rule, or Edit rules to modify an existing rule and complete the following fields:
    • Username Contains: Enter a domain name to be evaluated by this rule. The rule will evaluate to true if the string contains any part of the provided value.
      Tip: For increased security, be specific and enter multiple canonical domains, such as @marketing.example.com and @payroll.example.com. To add fewer entries, you could just enter example.com, and the rule would pick up both @marketing.example.com and @payroll.example.com, but that configuration might match users at unintended hosts.
    • Identity Provider: Select the identity provider to use for authentication if the rule is matched. Discovery rules are evaluated in the order they appear in the list.

    Users that don't match a discovery rule are authenticated against PingOne.

  6. Enter or edit the requirement conditions.

    If this condition is met, the user will be required to sign in:

    Last sign-on older than
    Requires users to sign in if their previous login is older than the configured value.
    User attributes
    Requires users to sign in if they match a specified user attribute, such as postal code or user ID. For example, Postal Code = 78750. Select the check box, then click + Add attribute. Enter the attribute and the appropriate value. If you have multiple attribute conditions, the policy will evaluate to true if any of the conditions are met (Boolean OR).
  7. Enter or edit an external identity provider. Click + Add Provider and then select an identity provider from the list. If an identity provider does not appear on the list, it may not be enabled. See Enabling or disabling an identity provider.
  8. To prevent users from signing in if their PingOne user account is locked, select Block authentication of locked user accounts from Presented Identity Providers. If you leave this option cleared, then users can sign on with their configured identity provider credentials, but not their PingOne credentials.
  9. Click Save.