Adding an identifier first authentication step - PingOne Cloud Platform - PingOne

PingOne Cloud Platform

bundle
pingone
ft:publication_title
PingOne Cloud Platform
Product_Version_ce
PingOne Cloud Platform
PingOne
category
Administratorguide
ContentType
Guide
Product
Productdocumentation
p1
p1cloudplatform
ContentType_ce
Guide
Product documentation
Guide > Administrator Guide

To use identifier first authentication, add it as part of an authentication policy.

  1. Go to Authentication > Authentication.
  2. Click + Add Policy to create a new policy, or click the pencil icon to edit an existing one.
  3. Click + Add Step.
  4. From the Step Type list, select Identifier First.
  5. Enter or edit the recovery and registration settings.
    • Enable account recovery. In case of a forgotten password, users can recover their accounts with a one-time password sent over SMS or email.
    • Enable registration. Users can register their own accounts if a user record already exists. Select PingOne Directory to provision users to the PingOne user store. Select External Link to provision users to an external user store. PingOne will direct users to the Registration Target URL for registration, but PingOne will still be used for authentication.
    • Require confirmation of user information. If registration is enabled, requires end users to confirm the data that is linked with the third-party identity provider. The end user will have an opportunity to edit the information that the third-party identity provider shares with PingOne, such as user name, email address, first name, and last name.
    • Discovery rules. Click +Add rule to add a rule, or Edit rules to modify an existing rule. In the text box, enter a domain name to be evaluated by this rule. The rule will evaluate to true if the string contains any part of the provided value. Select the identity provider to use for authentication if the rule is matched. Discovery rules are evaluated in the order they appear in the list.
  6. Enter or edit the requirement conditions. If this condition is met, the user will be required to sign in.:
    • Last sign-on older than. Requires users to sign in if their previous login is older than the configured value.
    • User attributes. Requires users to sign in if they match a specified user attribute, such as postal code or user ID. For example, Postal Code = 78750. Select the check box, then click + Add attribute. Enter the attribute and the appropriate value. If you have multiple attribute conditions, the policy will evaluate to true if any of the conditions are met (Boolean OR).
  7. Enter or edit an external identity provider. Click + Add Provider and then select an identity provider from the list. If an identity provider does not appear on the list, it may not be enabled. See Enabling or disabling an identity provider.
  8. To prevent users from signing in if their PingOne user account is locked, select Block authentication of locked user accounts from Presented Identity Providers. If you leave this option cleared, then users can sign on with their configured identity provider credentials, but not their PingOne credentials.
  9. Click Save.