1. In your PingOne tenant, go to Experiences > Authentication Policies and click Add Policy.
    Screen capture of the Policies window with the Add Policy option in the upper right corner.
  2. In the Policy Name field, enter a unique policy name.
  3. In the Step Type list, select External Identity Provider.
    Screen capture of the expanded Step Type list showing External Identity Provider highlighted.
  4. In the External Identity Provider list, select the external IdP you want to delegate to.

    Disabled external IdPs are marked as such.

    Screen capture of the expanded External Identity Provider list showing PF and PFIDP (Disabled) as options.
  5. Optional: In the Required Authentication Level field, specify an authentication context to request from the IdP.

    For example, if you were using PingFederate you could use a selector on the incoming context to determine authentication policy flows.

    Screen capture of the Identity Provider Settings section showing the optional Required Authentication Level field.
  6. Click Save and Continue.

Depending on how you want to use it, you can configure this policy as the default or assign it to specific applications. After calling an app that has this policy assigned, users are automatically sent to the external IdP for authentication.

After a successful return from the external IdP:

  • If the user doesn't exist in PingOne, the user is created.
  • If user does exist in PingOne, the user is prompted for linking and then passed to their respective application.