Sign-on policy assignment endpoints manage the sign-on policies associated with the specified application. An application can have zero or more sign-on policies assigned to it that determine how users are authenticated. The number of sign-on policies assigned to an application also controls how the authentication flow progresses.
Applications that have no sign-on policy assignments use the environment resource’s default sign-on policy to authenticate users. Every environment has one designated sign-on policy as its default policy. If the environment’s default sign-on policy changes, then the application’s sign-on policy changes to use the updated default policy.
Applications that have one sign-on policy assignment always use that sign-on policy to authenticate users. For example, if the application has the
Single_Factor sign-on policy assigned, the application will always use this basic authentication method that prompts users to enter a username and password to authenticate the account.
If an application has two or more assigned sign-on policies, the authentication flow uses the sign-on policy with the highest priority (priority 1) first. If authentication is successful, the sign-on flow is complete. If authentication fails, the flow initiates the sign-on policy with the next highest priority. If authentication fails again, the sign-on flow initiates the next sign-on policy. The sign-on flow continues until one of the assigned sign-on policies completes successfully or all policies have been tried and failed.
For applications with the
protocol property set to
acr_values property (set on the authorize request) identifies the exact list of sign-on policies that can execute at sign on. At sign-on, only the sign-on policies listed in the
acr_values property are evaluated, and they are evaluated based on the order of the policies listed in this property. In addition, if there are numerous sign-on policies assigned to an application, setting the
acr_values property limits the number of sign-on policies evaluated to only those listed in this property.
For example, if the authorize request includes
acr_values=Multi_Factor Single_Factor, the authentication flow executes the
Multi_Factor policy first. If the multi-factor sign-on flow completes all conditions for the policy, the flow completes and the user is issued a token. If the multi-factor policy fails, the
Single_Factor policy executes. If that policy completes all conditions, the flow completes and the user is issued a token. If the single-factor policy is the last policy in the
acr_values list, and it falls, then the sign-on flow fails. No other sign-on policies are tried, even if the application has additional sign-on policy assignments.
||The identifier of the resource referenced by this relationship|
||A string that specifies the environment resource’s unique identifier associated with the sign-on policy.|
||A string that specifies the sign-on policy assignment resource’s unique identifier.|
||The order in which the policy referenced by this assignment is evaluated during an authentication flow relative to other policies. An assignment with a lower priority will be evaluated first.|
||A string that specifies the sign-on policy resource’s unique identifier associated with this sign-on policy assignment.|
|204||Successfully removed. No content.|
|400||The request could not be completed.|
|401||You do not have access to this resource.|
|403||You do not have permissions or are not licensed to make this request.|
|404||The requested resource was not found.|
|500||An unexpected error occurred.|