You must complete the following:


MFA to the PingOne for Enterprise admin portal is enforced through PingOne for Enterprise, so even if you've configured PingFederate Bridge for PingID authentication, you still need to enable a PingOne for Enterprise authentication policy for PingID.

For more information, see Create or update an authentication policy.


If the username your administrator uses for SSO to the admin console differs from the email address they use for PingOne for Enterprise, PingID treats that username as a separate identity.

You can streamline the admin SSO experience with the following recommended configuration:

  1. Configure SSO for administrators. For more information, see Configuring SSO to the PingOne for Enterprise admin portal.
  2. Remove administrative users who use an email rather than a username for sign on. If necessary, create new administrative users and select the SSO Admin check box. For more information, see Assign administrative roles.
  3. When enabling MFA (see step 7 below), select SSO Usernameas the SSO method for admin users.

If your admin users' usernames are the same as the email address that they use to sign on to the admin portal, you can ignore this configuration because usernames will be the same for PingID.

  1. In the PingOne for Enterprise admin portal, go to Setup > Authentication Policy.
  2. Click Edit.
  3. Select Enable authentication policy.
  4. On the Apply policy to line, click Selected groups and select the check boxes of the groups assigned as administrative groups.

    To improve security, click All cases to require all users to authenticate using MFA.

  5. Select the Apply authentication policy to PingOne Admin Portal check box.
  6. Optional: In the Do not apply authentication policy to list, select an administrator.

    Exempting a designated administrator from the authentication policy allows that administrator to sign on to the admin portal in case of problems with PingID.

  7. In the PingID username attribute for SSO admins line, select an SSO method for administrators:
    • SSO Username: Administrators sign on using their username and PingID devices as they would to sign on to the PingOne Dock.
    • Email: Administrators sign on using their email address and PingID devices as they would to sign on to the admin portal.

    Selecting Email is not recommended unless you intend for admins to sign on through SSO as well as directly using their email and password. This will usually require admins to maintain a second set of PingID devices specifically for admin access.

  8. Select the Apply to all sign-on attempts check box.
  9. Click Save.

If you want to configure an advanced PingID authentication policy for your administrative users, see Configuring an app or group-specific authentication policy in the PingID documentation.