--- title: Application Sign-On Policy Assignments description: Sign-on policy assignment endpoints manage the sign-on policies associated with the specified application. An application can have zero or more sign-on policies assigned to it that determine how users are authenticated. The number of sign-on policies assigned to an application also controls how the authentication flow progresses. component: pingone-api page_id: pingone-api:platform:applications/application-sign-on-policy-assignments canonical_url: https://developer.pingidentity.com/pingone-api/platform/applications/application-sign-on-policy-assignments.html section_ids: no-sign-on-policy-assignments: No sign-on policy assignments one-sign-on-policy-assignment: One sign-on policy assignment two-or-more-sign-on-policy-assignments: Two or more sign-on policy assignments sign-on-policy-priority-when-acr_values-is-set: Sign-on policy priority when acr_values is set applications-sign-on-policy-assignments-data-model: Applications sign-on policy assignments data model application-sign-on-policy-events-generated: Application Sign-on Policy events generated response-codes: Response codes --- # Application Sign-On Policy Assignments Sign-on policy assignment endpoints manage the sign-on policies associated with the specified application. An application can have zero or more sign-on policies assigned to it that determine how users are authenticated. The number of sign-on policies assigned to an application also controls how the authentication flow progresses. ## No sign-on policy assignments Applications that have no sign-on policy assignments use the environment resource's default sign-on policy to authenticate users. Every environment has one designated sign-on policy as its default policy. If the environment's default sign-on policy changes, then the application's sign-on policy changes to use the updated default policy. ## One sign-on policy assignment Applications that have one sign-on policy assignment always use that sign-on policy to authenticate users. For example, if the application has the `Single_Factor` sign-on policy assigned, the application will always use this basic authentication method that prompts users to enter a username and password to authenticate the account. ## Two or more sign-on policy assignments If an application has two or more assigned sign-on policies, the authentication flow uses the sign-on policy with the highest priority (priority 1) first. If authentication is successful, the sign-on flow is complete. If authentication fails, the flow initiates the sign-on policy with the next highest priority. If authentication fails again, the sign-on flow initiates the next sign-on policy. The sign-on flow continues until one of the assigned sign-on policies completes successfully or all policies have been tried and failed. ## Sign-on policy priority when `acr_values` is set For applications with the `protocol` property set to `OPENID_CONNECT`, the `acr_values` property (set on the authorize request) identifies the exact list of sign-on policies that can execute at sign on. At sign-on, only the sign-on policies listed in the `acr_values` property are evaluated, and they are evaluated based on the order of the policies listed in this property. In addition, if there are numerous sign-on policies assigned to an application, setting the `acr_values` property limits the number of sign-on policies evaluated to only those listed in this property. For example, if the authorize request includes `acr_values=Multi_Factor Single_Factor`, the authentication flow executes the `Multi_Factor` policy first. If the multi-factor sign-on flow completes all conditions for the policy, the flow completes and the user is issued a token. If the multi-factor policy fails, the `Single_Factor` policy executes. If that policy completes all conditions, the flow completes and the user is issued a token. If the single-factor policy is the last policy in the `acr_values` list, and it fails, then the sign-on flow fails. No other sign-on policies are tried, even if the application has additional sign-on policy assignments. ## Applications sign-on policy assignments data model | Property | Type | Required? | Mutable? | Description | | ----------------- | ------- | --------- | --------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `application.id` | String | Required | Read-only | The application resource ID associated with the sign-on policy assignment. | | `environment.id` | String | Required | Read-only | The environment associated with the application sign-on policy assignment. | | `id` | String | Required | Read-only | The sign-on policy assignment resource's unique identifier. | | `priority` | Integer | Required | Mutable | The order in which the policy referenced by this assignment is evaluated during an authentication flow relative to other policies. An assignment with a lower priority will be evaluated first. | | `signOnPolicy.id` | String | Required | Mutable | The sign-on policy resource's unique identifier associated with this sign-on policy assignment. | ## Application Sign-on Policy events generated Refer to [Audit Reporting Events](../reference/audit-reporting-events.html) for the events generated. ### Response codes | Code | Message | | ---- | --------------------------------------------------------------------- | | 200 | Successful operation. | | 201 | Successfully created. | | 204 | Successfully removed. No content. | | 400 | The request could not be completed. | | 401 | You do not have access to this resource. | | 403 | You do not have permissions or are not licensed to make this request. | | 404 | The requested resource was not found. | | 500 | An unexpected error occurred. |