--- title: Setting up and testing a custom authentication policy description: Authentication policies are used in PingFederate to implement complex authentication requirements. This document explains how to create a new custom authentication policy in PingFederate, and then test the policy. component: solution-guides page_id: solution-guides:workforce_use_cases:htg_set_up_test_custom_authn_policy canonical_url: https://docs.pingidentity.com/solution-guides/workforce_use_cases/htg_set_up_test_custom_authn_policy.html revdate: April 14, 2025 page_aliases: ["workforce_use_cases:htg_set_up_test_custom_authn_policy_create_pf_policy.adoc", "workforce_use_cases:htg_set_up_test_custom_authn_policy_test_pf_policy.adoc"] section_ids: component: Component creating-a-custom-authentication-policy-in-pingfederate: Creating a custom authentication policy in PingFederate before-you-begin: Before you begin about-this-task: About this task steps: Steps choose-from: Choose from: result: Result: testing-a-custom-authentication-policy-in-pingfederate-html-form-with-pingid-mfa: Testing a custom authentication policy in PingFederate (HTML Form with PingID MFA) before-you-begin-2: Before you begin about-this-task-2: About this task steps-2: Steps result-2: Result: --- # Setting up and testing a custom authentication policy Authentication policies are used in PingFederate to implement complex authentication requirements. This document explains how to create a new custom authentication policy in PingFederate, and then test the policy. ## Component PingFederate 10.0 or later ## Creating a custom authentication policy in PingFederate Build and deploy a simple example of a custom authentication policy in PingFederate when there are multiple user types that need different authentication flows. ### Before you begin Make sure you have the following: * PingFederate 10 or later with administrator access to web console * PingID for multi-factor authentication (MFA) * HTML Form identity provider (IdP) adapter * Simple password credential validator (PCV) * A second SimpleForm (HTML Form adapter) instead of PingID * IdP connection * Selector ### About this task Authentication policies are an optional configuration in PingFederate and help administrators implement complex authentication requirements. A simple example of a custom authentication policy is having PingID act as a second-factor authentication event that triggers after a username and password form. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Consider a custom policy when there are multiple user types that need different authentication flows, or if you want to chain together two types of authenticators, such as username and password with MFA. | ### Steps 1. In the PingFederate administrative console, go to **Authentication > Policies > Policies**. 2. In the **Authentication Policies** window, click **Add Policy**. 3. In the **Name** field, enter a policy name. 4. In the **Description** field, enter a description. 5. In the **Policy** list, select a previously created configuration: #### Choose from: * **IdP Adapter** * **IdP Connection** * **Selector** 6. In the **Fail** field, click **Done**. This means if the user fails authenticating the SimpleForm, their single sign-on (SSO) session ends. 7. From the **Success** list, select the **PingID Adapter**. Additional Fail/Success lists will appear. ![Screen capture illustrating the Policy configuration for a authentication policy. The Policy type shows SimpleForm. After this field are the Fail field set to Done and the Success field set to - Adapter. There are two hyperlinks below the Success field: Options and Rules.](_images/ppm1600454406019.png) 1. Click **Options**. 8. In the **Incoming User ID** window, from the **Source** list, select **Adapter (SimpleForm)** and from the **Attribute** list, select **username**. ![Screen capture illustrating the Incoming User ID window in . There are two lists: Source and Attribute. The Source list shows Adapter (SimpleForm) and the Attribute list shows username. Next to the list selection fields is the Clear hyperlink option. At the bottom of the window are the option for Cancel and the Done button.](_images/qpr1600454522166.png) 1. Click **Done**. 9. After the **Success** list, set the **Fail** and **Success** lists to **Done**. ![Screen capture illustrating the configured Policy fields for a custom authentication policy in . The Policy type shows SimpleForm. After this field are the Fail field set to Done and the Success field set to - Adapter. There are two hyperlinks below the Success field: Options and Rules. After the Success field are another pair of Fail and Success fields, both set to Done.](_images/nyz1600454165402.png) 1. Click **Done**. #### Result: The custom policy appears in the **Policies** window in the **Policy** list. 10. To save and enable the new policy, click **Save**. ![Screen capture of the Policies window on the Policies tab in with a configured and enabled policy in the Policy list. A green toggle to the right of the policy information indicates the policy is enabled. At the bottom of the image is a hyperlink option to Cancel and the Next and Save buttons.](_images/aip1600454717333.png) ## Testing a custom authentication policy in PingFederate (HTML Form with PingID MFA) Test the custom authentication policy you created in PingFederate. ### Before you begin Set up a service provider (SP) connection. ### About this task This requires an SP connection. This example uses the website HTTP\_BIN as a sample application that PingFederate sends the user to after the custom authentication policy has completed successfully. ### Steps 1. Locate an SP Connection that you configured previously to leverage the custom authentication policy. 1. Go to **Applications > SP Connections > SP Connection > Activation & Summary**. 2. Click the **SSO Application Endpoint**. ![Screen capture illustrating the SSO Application Endpoint URL on the SP Connection Actiation & Summary tab in .](_images/jny1600455071838.png) #### Result: The **Sign On** window appears. 3. Enter a valid **Username** and **Password** based on your SimpleForm and SimplePCV settings. 1. Click **Sign On**. ![Screen capture illustrating the Sign On window redirect from the SSO Application Endpoint.](_images/rav1600455279388.png) 4. Approve the sign-on request using multi-factor authentication (MFA), such as your mobile push. ![Screen capture illustrating the MFA push notification.](_images/zec1600455392649.png) | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | * If you entered a username and password combination that doesn't authenticate, an error message will display. * If you entered a recognized user in the form, but the user has not yet enrolled in PingID, a registration window will display. |