If you have configured single sign-on (SSO) to the admin portal, you can improve security by requiring multi-factor authentication (MFA) using PingID.
You must complete the following:
MFA to the PingOne for Enterprise admin portal is enforced through PingOne for Enterprise, so even if you've configured PingFederate Bridge for PingID authentication, you still need to enable a PingOne for Enterprise authentication policy for PingID.
For more information, see Create or update an authentication policy.
If the username your administrator uses for SSO to the admin console differs from the email address they use for PingOne for Enterprise, PingID treats that username as a separate identity.
You can streamline the admin SSO experience with the following recommended configuration:
- Configure SSO for administrators. For more information, see Configuring SSO to the PingOne for Enterprise admin portal.
- Remove administrative users who use an email rather than a username for sign on. If necessary, create new administrative users and select the SSO Admin check box. For more information, see Assign administrative roles.
- When enabling MFA (see step 7 below), select SSO Usernameas the SSO method for admin users.
If your admin users' usernames are the same as the email address that they use to sign on to the admin portal, you can ignore this configuration because usernames will be the same for PingID.
If you want to configure an advanced PingID authentication policy for your administrative users, see Configuring an app or group-specific authentication policy in the PingID documentation.