Sign-on policies (identified in the PingOne UI as “Authentication Policy”) determine the account authentication flow users must complete to access applications secured by PingOne services.

Sign-on policies are defined by their associated actions. For example, the LOGIN action prompts users for a username and password. The MULTI_FACTOR_AUTHENTICATION action prompts users to complete a second authentication action, such as entering a one-time passcode received on a registered device or accepting a push confirmation on a registered native device.

A sign-on policy can have a maximum of 20 associated sign-on policy actions.

An application’s sign-on policy determines the flow states and the corresponding actions required to complete an authentication workflow. The following diagram shows the PingOne platform sign-on policy selection logic:

Policy selection logic

When the authentication workflow begins, the flow gets the list of sign-on policies assigned to the application and evaluates the policy conditions that must be met to complete sign on. The sign-on policy evaluation logic is shown in the diagram below:

Policy logic

Sign-on policies

The /environments/{{envID}}/signOnPolicies endpoint provides operations to create, read, update, and delete sign-on policies.

For more information, see Sign-On Policies.

Sign-on policy actions

The /environments/{{envID}}/signOnPolicies/{{policyID}}/actions endpoint provides operations to create, read, update, and delete sign-on policy actions.

For more information, see Sign-On Policy Actions.

Note: For information about an application’s sign-on policy assignments, see Application Sign-On Policy Assignments.