An authentication policy enables you to use PingID to provide a secondary level of authentication (multi-factor authentication) to the single sign-on (SSO) process for your users, or for some subset of your users.
By default the policy is applied to all users and all applications, but you can filter the policy by user group, IP, and application.
The authentication policy is applied to any new SSO sessions for SAML or OpenID Connect applications. Applications that have been added to PingOne that use Basic SSO or an SSO URL cannot be included in the authentication context for the policy.
Once enabled, your PingOne authentication policy works in conjunction with any PingID policies you have configured. For more information, see PingID policy overview.
- Go to .
- Select Enable Authentication Policy.
Select PingID as the authentication provider to use for the policy.
If you don't select PingID here, no PingID policies will be applied for PingOne SSO.
For Apply policy to, select a filter to define how the
policy is to be applied:
- Selected groups. Applies the authentication policy only to users who are members of the selected groups.
- All IPs except. Applies the authentication policy to all users except those whose IP address is specified or contained within a block of IP addresses. The addresses need to be IPv4 addresses in dot-decimal format (188.8.131.52), or an IPv4 address block in CIDR format (184.108.40.206/24).
- All cases. Applies the policy to all users. This is the default option.
Select Apply authentication policy to PingOne Admin Portal
to apply this policy to administrators who sign on through the PingOne admin
Note: This option is displayed only if you've upgraded to the new PingOne dock. Go to to upgrade the dock.
- Optional: If you don't want to apply the policy to a specific user, such as a global administrator, select the user from the Do not apply authentication to dropdown list.
Select how you want SSO administrators to authenticate.
- Select SSO username to prompt SSO administrators to authenticate using the PingID factors required for SSO users.
- Select Email to prompt SSO administrators to authenticate using the factors required for them to sign on to the admin portal.
Select the Apply to all sign-on attempts box to apply the
policy to all attempts to SSO to SAML applications. Clear the box to apply the policy
only to select applications.
When you select this option, you do not need to select applications for the Apply on application launch option.For more information, see Configure an app or group-specific authentication policy in PingID documentation.
Enter a search term in the text box to filter application by name.
Note: Do not use the underscore (_) or percent (%) characters in your search filter entry.
Select the check boxes for the applications you want to apply the policy to at
You must select at least one application if you did not select Apply to all sign-on attempts.
The authentication policy is applied to all new user SSO sessions.
You can now configure PingID policies to further refine your secondary level of authentication. For more information, see Configure web authentication policy.
If want to apply the authentication policy to the admin portal, see SSO to the PingOne for Enterprise admin portal with multi-factor authentication.
If you're using the PingFederate identity bridge, see also SSO to the PingOne for Enterprise admin portal from PingFederate Bridge