For CyberArk and Ping Identity best practices, deploy MFA for all single sign-on (SSO) requests to the CyberArk Password Vault Web Access (PVWA).
Integrate a PingFederate authentication policy with PingID multi-factor authentication (MFA).
Note:
The following configuration steps assume you are creating a new authentication policy specifically for MFA to the CyberArk PVWA. If other existing authentication policies are in use, modify your policy tree to perform this task.