By default the policy is applied to all users and all applications, but you can filter the policy by user group, IP, and application.

The authentication policy is applied to any new SSO sessions for SAML or OpenID Connect applications. Applications that have been added to PingOne that use Basic SSO or an SSO URL cannot be included in the authentication context for the policy.

Once enabled, your PingOne authentication policy works in conjunction with any PingID policies you have configured. For more information, see PingID policy overview.

Note: Changing to a different identity bridge can break any group filtering you include in your authentication policy. In this case, you will need to update your group assignments at Users > User Groups and change the group filtering for your policy. For more information, see Managing users by group.
  1. Go to Setup > Authentication Policy.
  2. Select Enable Authentication Policy.
  3. Select PingID as the authentication provider to use for the policy.
    If you don't select PingID here, no PingID policies will be applied for PingOne SSO.
Authentication Filter
  1. For Apply policy to, select a filter to define how the policy is to be applied:
    • Selected groups. Applies the authentication policy only to users who are members of the selected groups.
    • All IPs except. Applies the authentication policy to all users except those whose IP address is specified or contained within a block of IP addresses. The addresses need to be IPv4 addresses in dot-decimal format (, or an IPv4 address block in CIDR format (
    • All cases. Applies the policy to all users. This is the default option.
PingOne Admin Portal Configuration
  1. Select Apply authentication policy to PingOne Admin Portal to apply this policy to administrators who sign on through the PingOne admin portal.
    Note: This option is displayed only if you've upgraded to the new PingOne dock. Go to Dock > Configuration to upgrade the dock.
  2. Optional: If you don't want to apply the policy to a specific user, such as a global administrator, select the user from the Do not apply authentication to dropdown list.
  3. Select how you want SSO administrators to authenticate.
    • Select SSO username to prompt SSO administrators to authenticate using the PingID factors required for SSO users.
    • Select Email to prompt SSO administrators to authenticate using the factors required for them to sign on to the admin portal.
Authentication Policy Context
  1. Select the Apply to all sign-on attempts box to apply the policy to all attempts to SSO to SAML applications. Clear the box to apply the policy only to select applications.
    When you select this option, you do not need to select applications for the Apply on application launch option.
    For more information, see Configure an app or group-specific authentication policy in PingID documentation.
  2. Optional: Enter a search term in the text box to filter application by name.
    Note: Do not use the underscore (_) or percent (%) characters in your search filter entry.
  3. Select the check boxes for the applications you want to apply the policy to at launch.
    You must select at least one application if you did not select Apply to all sign-on attempts.
  4. Click Save.
    The authentication policy is applied to all new user SSO sessions.

You can now configure PingID policies to further refine your secondary level of authentication. For more information, see Configure web authentication policy.

If want to apply the authentication policy to the admin portal, see SSO to the PingOne for Enterprise admin portal with multi-factor authentication.

If you're using the PingFederate identity bridge, see also SSO to the PingOne for Enterprise admin portal from PingFederate