--- title: Sign-On Policies description: "Sign-on policies (identified in the PingOne UI as \"Authentication Policy\") determine the account authentication flow users must complete to access applications secured by PingOne services." component: pingone-api page_id: pingone-api:platform:sign-on-policies canonical_url: https://developer.pingidentity.com/pingone-api/platform/sign-on-policies.html section_ids: sign-on-policies: Sign-on policies sign-on-policy-actions: Sign-on policy actions assigning-admin-roles-and-permissions-to-this-service: Assigning admin roles and permissions to this service --- # Sign-On Policies Sign-on policies (identified in the PingOne UI as "Authentication Policy") determine the account authentication flow users must complete to access applications secured by PingOne services. Sign-on policies are defined by their associated actions. For example, the `LOGIN` action prompts users for a username and password. The `MULTI_FACTOR_AUTHENTICATION` action prompts users to complete a second authentication action, such as entering a one-time passcode received on a registered device or accepting a push confirmation on a registered native device. | | | | - | ---------------------------------------------------------------------------- | | | A sign-on policy can have a maximum of 20 associated sign-on policy actions. | For more information about sign-on policies, refer to [Authentication policies](https://docs.pingidentity.com/pingone/authentication/p1_authenticationpolicies.html) in the PingOne Admin Guide. An application's sign-on policy determines the flow states and the corresponding actions required to complete an authentication workflow. The following diagram shows the PingOne platform sign-on policy selection logic: ![Sign-on policy selection logic](../_images/p1_PolicySelectionLogic.svg) When the authentication workflow begins, the flow gets the list of sign-on policies assigned to the application and evaluates the policy conditions that must be met to complete sign on. The sign-on policy evaluation logic is shown in the diagram below: ![Sign-on policy evaluation logic](../_images/p1_PolicyLogic.svg) ## Sign-on policies The `/environments/{{envID}}/signOnPolicies` endpoint provides operations to create, read, update, and delete sign-on policies. For more information, refer to [Sign-On Policies](sign-on-policies.html). ## Sign-on policy actions The `/environments/{{envID}}/signOnPolicies/{{policyID}}/actions` endpoint provides operations to create, read, update, and delete sign-on policy actions. For more information, refer to [Sign-On Policy Actions](sign-on-policies/sign-on-policy-actions.html). For information about an application's sign-on policy assignments, refer to [Application Sign-On Policy Assignments](applications/application-sign-on-policy-assignments.html). For related information, refer to [PingOne authentication flow states](../foundations/authentication-concepts/pingone-authentication-flow-states.html). ## Assigning admin roles and permissions to this service Admin role assignments determine access to PingOne APIs. When assigning admin roles to this service, refer to [PingOne Permissions by Service](reference/roles-and-permissions-in-pingone/permissions-by-service.html) for the service-specific permissions. You can also choose to assign admin roles based on particular service resources. Refer to [PingOne Permissions by Resource](reference/roles-and-permissions-in-pingone/permissions-by-resource.html) when assigning admin roles per service resources. Admin assignments to roles are set by: * [Automatic assignment for some roles](roles/predefined-roles.html#automatic-role-assignment). * [Group Role Assignments](group-role-assignments/group-role-assignments.html). * [User Role Assignments](users/user-role-assignments.html). Refer to [Roles Management](roles.html) for more information.