Sign-On Policies
Sign-on policies (identified in the PingOne UI as "Authentication Policy") determine the account authentication flow users must complete to access applications secured by PingOne services.
Sign-on policies are defined by their associated actions. For example, the LOGIN action prompts users for a username and password. The MULTI_FACTOR_AUTHENTICATION action prompts users to complete a second authentication action, such as entering a one-time passcode received on a registered device or accepting a push confirmation on a registered native device.
|
A sign-on policy can have a maximum of 20 associated sign-on policy actions. |
For more information about sign-on policies, refer to Authentication policies in the PingOne Admin Guide.
An application’s sign-on policy determines the flow states and the corresponding actions required to complete an authentication workflow. The following diagram shows the PingOne platform sign-on policy selection logic:
When the authentication workflow begins, the flow gets the list of sign-on policies assigned to the application and evaluates the policy conditions that must be met to complete sign on. The sign-on policy evaluation logic is shown in the diagram below:
Sign-on policies
The /environments/{{envID}}/signOnPolicies endpoint provides operations to create, read, update, and delete sign-on policies.
For more information, refer to Sign-On Policies.
Sign-on policy actions
The /environments/{{envID}}/signOnPolicies/{{policyID}}/actions endpoint provides operations to create, read, update, and delete sign-on policy actions.
For more information, refer to Sign-On Policy Actions.
For information about an application’s sign-on policy assignments, refer to Application Sign-On Policy Assignments.
For related information, refer to PingOne authentication flow states.
Assigning admin roles and permissions to this service
Admin role assignments determine access to PingOne APIs. When assigning admin roles to this service, refer to PingOne Permissions by Service for the service-specific permissions.
You can also choose to assign admin roles based on particular service resources. Refer to PingOne Permissions by Resource when assigning admin roles per service resources.
Admin assignments to roles are set by:
Refer to Roles Management for more information.