A sign-on policy dictates how the user's identity will be verified when signing on to the system.
A multi-factor policy could require evidence to verify a user's identity, such as a time-based one-time password (TOTP) authenticator app, FIDO2 biometrics, a push notification sent to the user's mobile device, or a one-time passcode (OTP) sent over SMS, voice, or email. A sign-on policy could also be configured for device authorization, which takes place in the background and is transparent to the user.
You can set conditions that determine whether the policy will be applied. For example:
- For certain populations, policy conditions can require that multi-factor authentication (MFA)is required for every sign-on.
- For other populations, MFA is not required if the most recent sign-on occurred within a specified time limit.
- If no conditions are specified, users are required to sign on every time they access the application.
The authentication flow is configured at the application level through a sign-on policy. If you don't assign a sign-on policy to your web application, it uses the environment's default sign-on policy. You can create multiple sign-on policies and associate them with different OIDC applications.
Policies are applied in the order in which they appear in the list. PingOne evaluates the first policy in the list first. If the requirements of the policy are not met, PingOne moves to the next policy in the list.
Configuring a sign-on policy console
Configuring a sign-on policy API alternative
Application developers can use the API operations to create a sign-on policy.
Use the access token generated through the worker app and follow the steps in Sign-on policies in the API reference.