1. Go to Authentication > Authentication.
  2. Click + Add Policy to create a new policy, or click the pencil icon to edit an existing one.
  3. Click + Add Step.
  4. From the Step Type list, select Login.
  5. Enter or edit the recovery and registration settings.
    • Enable account recovery. In case of a forgotten password, users can recover their accounts with a one-time password sent over email.
    • Enable registration. Users can register their own accounts if a user record already exists. Select PingOne Directory to provision users to the PingOne user store. Select External Link to provision users to an external user store. PingOne will direct users to the Registration Target URL for registration, but PingOne will still be used for authentication.
    • Require confirmation of user information. If registration is enabled, requires end users to confirm the data that is linked with the third-party identity provider. The end user will have an opportunity to edit the information that the third-party identity provider shares with PingOne, such as user name, email address, first name, and last name.
  6. Enter or edit the requirement conditions. If this condition is met, the user will be required to sign in.
    • Last sign-on older than. Requires users to sign in again if their previous login is older than the configured value.
  7. Enter or edit an external identity provider. Click + Add Provider and then select an identity provider from the list. If an identity provider does not appear on the list, it may not be enabled. See Enabling or disabling an identity provider.
  8. To prevent users from signing in if their PingOne user account is locked, select Block authentication of locked user accounts from Presented Identity Providers. If you leave this option cleared, then users can sign on with their configured identity provider credentials, but not their PingOne credentials.
  9. Click Save.