Authentication policies for applications
You can configure which authentication policies should be used for a particular application.
An application can have zero or more associated authentication policies that determine how users are authenticated. The number of sign-on policies assigned to an application also controls how the authentication steps progress.
If you have a DaVinci license, you can select PingOne policies or DaVinci flow policies, but not both. If you don’t have a DaVinci license, you can only assign PingOne policies.
|
The PingOne admin console always uses the default authentication policy. Changing the default policy could affect the ability of admins to access the PingOne admin console. |
Policies are applied in the order in which you add them. The first policy in the list overrides any subsequent policies. The default policy is always used if no policies are applied to an application.
Learn more about assigning a sign-on policy to an application in Applying authentication policies to an application.
|
If an application is assigned only one authentication policy, such as the Passwordless sign-on policy, then the application uses only that policy. If the application is assigned multiple policies, it uses policies in the order they appear in the list. |
No authentication policy assignments
Applications that aren’t assigned an authentication policy use the environment’s default authentication policy to authenticate users. Every environment has one authentication policy configured as its default policy. If the environment’s default authentication policy changes, then the application uses the updated default policy.
One authentication policy assignment
Applications that are assigned one authentication policy always use that policy to authenticate users. For example, if the application is assigned the Single_Factor authentication policy, the application always uses this basic authentication method that prompts users to enter a username and password to authenticate the account.
Two or more authentication policy assignments
If an application is assigned two or more authentication policies, the authentication flow uses the policy with the highest priority first. If authentication is successful, the authentication flow is complete. If authentication fails, the flow initiates the authentication policy with the next highest priority. If authentication fails again, the authentication flow initiates the next authentication policy. The authentication flow continues until one of the assigned policies is completed successfully or all policies have been tried and failed.