Sign-on policy assignment endpoints manage the sign-on policies associated with the specified application. An application can have zero or more sign-on policies assigned to it that determine how users are authenticated. The number of sign-on policies assigned to an application also controls how the authentication flow progresses.

No sign-on policy assignments

Applications that have no sign-on policy assignments use the environment resource’s default sign-on policy to authenticate users. Every environment has one designated sign-on policy as its default policy. If the environment’s default sign-on policy changes, then the application’s sign-on policy changes to use the updated default policy.

One sign-on policy assignment

Applications that have one sign-on policy assignment always use that sign-on policy to authenticate users. For example, if the application has the Single_Factor sign-on policy assigned, the application will always use this basic authentication method that prompts users to enter a username and password to authenticate the account.

Two or more sign-on policy assignments

If an application has two or more assigned sign-on policies, the authentication flow uses the sign-on policy with the highest priority (priority 1) first. If authentication is successful, the sign-on flow is complete. If authentication fails, the flow initiates the sign-on policy with the next highest priority. If authentication fails again, the sign-on flow initiates the next sign-on policy. The sign-on flow continues until one of the assigned sign-on policies completes successfully or all policies have been tried and failed.

Sign-on policy priority when acr_values is set

For applications with the protocol property set to OPENID_CONNECT, the acr_values property (set on the authorize request) identifies the exact list of sign-on policies that can execute at sign on. At sign-on, only the sign-on policies listed in the acr_values property are evaluated, and they are evaluated based on the order of the policies listed in this property. In addition, if there are numerous sign-on policies assigned to an application, setting the acr_values property limits the number of sign-on policies evaluated to only those listed in this property.

For example, if the authorize request includes acr_values=Multi_Factor Single_Factor, the authentication flow executes the Multi_Factor policy first. If the multi-factor sign-on flow completes all conditions for the policy, the flow completes and the user is issued a token. If the multi-factor policy fails, the Single_Factor policy executes. If that policy completes all conditions, the flow completes and the user is issued a token. If the single-factor policy is the last policy in the acr_values list, and it falls, then the sign-on flow fails. No other sign-on policies are tried, even if the application has additional sign-on policy assignments.

Applications sign-on policy assignments data model

Property Description
application.id The identifier of the resource referenced by this relationship
environment.id A string that specifies the environment resource’s unique identifier associated with the sign-on policy.
id A string that specifies the sign-on policy assignment resource’s unique identifier.
priority The order in which the policy referenced by this assignment is evaluated during an authentication flow relative to other policies. An assignment with a lower priority will be evaluated first.
signOnPolicy.id A string that specifies the sign-on policy resource’s unique identifier associated with this sign-on policy assignment.

Response codes

Code Message
200 Successful operation.
201 Successfully created.
204 Successfully removed. No content.
400 The request could not be completed.
401 You do not have access to this resource.
403 You do not have permissions or are not licensed to make this request.
404 The requested resource was not found.
500 An unexpected error occurred.