Application Flow Policy Assignments
Flow policy assignment endpoints manage the flow policies associated with the specified application. An application can have zero or more flow policies assigned to it that determine how users are authenticated. The number of flow policies assigned to an application also controls how the authentication flow progresses.
No flow policy assignments
Applications that have no flow policy assignments use the environment resource’s default sign-on policy to authenticate users (or a designated sign-on policy assignment).
One flow policy assignment
Applications that have one flow policy assignment always use that flow policy to authenticate users.
Two or more flow policy assignments
If an application has two or more assigned flow policies, the authentication flow uses the flow policy with the highest priority (priority 1) first. If authentication is successful, the flow is complete. If authentication fails, the flow initiates the flow policy with the next highest priority. The flow continues until one of the assigned flow policies completes successfully or all policies have been tried and failed.
OIDC applications can request a lower-priority policy by using the acr_values OIDC parameter with the desired PingOne authentication name or DaVinci flow policy ID. Refer to OpenID Connect/OAuth2 data model.
SAML applications can request a lower-priority policy by sending a SAML 2.0 authentication request with the RequestedAuthnContext parameter, where the value indicates the desired PingOne authentication name or DaVinci flow policy ID. Note that the enableRequestAuthnContext must be set to true for the SAML application. Refer to SAML settings data model.
Flow policies and the PingOne application portal
If the PingOne application portal is not configured with any flow policies, it will use the default PingOne policy.
You can apply policies other than the default to the PingOne application portal by appending the policy query parameter to your Application Portal Home Page URL. For example, the Home Page URL https://apps.pingone.com/<envID>/myapps/ would become https://apps.pingone.com/<envID>/myapps/?policy=<value>, where <value> is the name of a configured PingOne policy, or the ID of a configured DaVinci flow policy. If the policy name or ID doesn’t match any configured policy, then PingOne returns an error.
Application flow policy assignments data model
| Property | Type | Required? | Mutable? | Description |
|---|---|---|---|---|
|
String |
Required |
Read only |
A string that specifies the application resource ID associated with the flow policy assignment. |
|
String |
Required |
Read only |
A string that specifies the environment associated with the application. |
|
String |
Required |
Mutable |
A string that specifies the flow policy resource ID associated with the flow policy assignment. |
|
String |
Required |
Read only |
A string that specifies the flow policy assignment resource’s unique identifier. |
|
Integer |
Required |
Mutable |
The order in which the policy referenced by this assignment is evaluated during an authentication flow relative to other policies. An assignment with a lower priority will be evaluated first. |
Flow Policy events generated
Refer to Audit Reporting Events for the events generated.
Response codes
| Code | Message |
|---|---|
200 |
Successful operation. |
201 |
Successfully created. |
204 |
Successfully removed. No content. |
400 |
The request could not be completed. |
401 |
You do not have access to this resource. |
403 |
You do not have permissions or are not licensed to make this request. |
404 |
The requested resource was not found. |
500 |
An unexpected error occurred. |