There are several ways an external identity provider can be invoked to authenticate users. The external identity provider sign-on step does so as a result of administrator declared policy, and the user is not given a choice. For more information, see External IDPs.

Depending on the sign-on policy, end users might bypass the PingOne sign-on prompt and be redirected to an external identity provider to authenticate. A different sign-on policy might have end users use the PingOne sign-on prompt and then be redirected to an external identity provider for second-factor authentication. The user must exist in PingOne, but the identity provider manages authentication.

  1. Go to Authentication > Authentication.
  2. Click + Add policy to create a new policy, or click the pencil icon to edit an existing one.
  3. Click + Add step.
  4. From the Step type list, select External identity provider.
  5. From the External identity provider list, select the identity provider that will handle user authentication. For information about adding an identity provider, see External IDPs.
  6. Enter or edit the registration settings:
    • Enable registration. Users can register their own accounts if a user record already exists.
    • Population. Specify which population will contain the newly registered users.
    • Require confirmation of user information. If enabled, this option requires end users to confirm the data that is linked with the third-party identity provider. The end user will have an opportunity to edit the information that the third-party identity provider shares with PingOne, such as user name, email address, first name, and last name.
  7. Enter or edit the requirement condition. If this condition is met, the user will be required to sign in.
    • Last sign-on older than. Requires users to sign in again if their previous login is older than the configured value.
  8. Enter or edit the Identity provider settings.
    Note: These options are available only if you have an identity provider sign-on step as a secondary step after a login step that includes an identity provider.
    • Required authentication level. For SAML and OIDC identity providers, PingOne sends the RequestedAuthnContext or acr_values parameter to the specified identity provider to indicate how the identity provider should authenticate the user. This is commonly used to tell the identity provider to use multi-factor authentication, for example, to ensure the right level of authentication depending on the sensitivity of the target application.
    • Pass user context to provider. For SAML and OIDC identity providers, PingOne can be configured to include some user information in the authentication request. The information to include is determined as follows:
      • If the user is linked to the identity provider, pass the external id for the user.
      • If the user is not linked to the identity provider, and identified in a previous sign-on step or existing session, pass the PingOne username for the user.
      • If the user does not have an existing session, either from a previous transaction, or from completing a login step before the external identity provider step in the sign-on policy, pass the loginHint if it was received from the downstream application.
  9. Click Save.