If you configure an external identity provider as part of a sign-on policy, end users can access your applications by authenticating with the identity provider.
There are several ways an external identity provider can be invoked to authenticate users. The external identity provider sign-on step does so as a result of administrator declared policy, and the user is not given a choice. For more information, see Identity providers.
Depending on the sign-on policy, end users might bypass the PingOne sign-on prompt and be redirected to an external identity provider to authenticate. A different sign-on policy might have end users use the PingOne sign-on prompt and then be redirected to an external identity provider for second-factor authentication. The user must exist in PingOne, but the identity provider manages authentication.