PingOne

Adding an experience - Identity Provider First (early access)

You can add sign-on experiences from the PingOne Design Center page.

The Identity Provider First experience allows users to access your applications by bypassing the PingOne sign-on prompt and authenticating directly with the external identity provider (IdP). PingOne provides multi-factor authentication (MFA).

Before you begin

You must have the Environment Admin role or a custom role with equivalent permissions to add experiences.

You must have at least one external IdP configured in your environment to select this experience. Learn more in External IdPs.

Steps

  1. In the PingOne admin console, go to Orchestration > Design Center and click the Plus icon ().

  2. On the Choose a Sign-On Pattern page, click Identity Provider First, then click Next.

    A screenshot of the Choose a Sign-on Pattern page with the Identity Provider First sign-on pattern selected. The right panel shows a preview of the experience you’re building.

    You configure the experience using controls in the left pane. As you update your configuration, the Preview pane on the right updates to display a visualization of the experience you’re building.

  3. On the Details tab, enter a name and description for the experience, then click Next.

  4. On the First Factor tab, in the Redirect-Based Sign-In section, select an IdP in the list and click Add Identity Provider.

    A screenshot of the First Factor tab for an Identity Provider First experience. An Identity Provider is being added in the Redirect-Based Sign-In section.

  5. (Optional) Click the More Options (⋮) icon and select Edit Identity Provider to view and edit the IdP in a new tab, or click Remove to remove the IdP from the list.

  6. Select the Session Timeout option to require users to reauthenticate after the specified time period.

    After you select this option, configure the time period by selecting a number and a unit of time in the Authentication Timeout fields. For example, if you select 4 Hours, users must sign on again if their last sign-on was more than 4 hours ago.

    A screenshot of the Session Timeout option. The Session Timeout option is selected, and the Authentication Timeout is set to 4 hours.

    If you configure PingOne Protect features in your experience, this setting might be overridden based on the risk policy selected and whether a potential security risk is indicated. Learn more in Risk policies.

  7. Click Next.

  8. (Optional) On the MFA and Security tab, select Enable Multi-Factor Authentication to require MFA in the experience, then configure the MFA settings:

    Method Description

    Multi-Factor Authentication

    Select one of the following two options for MFA:

    • Adaptive MFA (Risk-based)

      Applicable only to environments that include PingOne Protect.

      After you select this option, select a risk policy in the Policy to Evaluate list.

      Based on the selected policy, risk signals are evaluated to determine whether to require users to complete an MFA step. For example, the policy might require MFA only when a user is signing on from a new device or location.

      This list only shows risk policies that include a mitigation rule configured to support MFA. The Returned Action for the mitigation must be one of the following:

      • Deny: Don’t allow the user to sign on if the risk policy is triggered.

      • MFA: Prompt the user to complete an MFA step if the risk policy is triggered.

      • Approve: Allow the user to sign on without requiring MFA even if the risk policy is triggered.

      Learn more in Risk policies.

    • Standard MFA

      You must have at least one MFA policy configured in the environment to use this option.

      After you select this option, select an MFA policy in the Policy to Evaluate list. Based on the policy, users must confirm their identity during sign on using a second factor enabled in the policy. Learn more in Configuring an MFA policy for strong authentication.

    A screenshot of the Multi-factor Authentication section. The Adaptive MFA (Risk-based) option is selected.

    MFA Session Timeout

    Select to require users to complete MFA again after a specified time period. This option is independent of the Session Timeout option, which determines when users must reauthenticate with their primary credentials. With MFA Session Timeout enabled, users must complete an MFA step again if their session exceeds the specified time period.

    After you select this option, configure the time period by selecting a number and a unit of time in the MFA Session Timeout fields. For example, if you select 12 Hours, users must complete an MFA step again if their last MFA prompt was completed more than 12 hours ago.

    A screenshot of the MFA Session Timeout options in Design Center. The timeout is set to 12 Hours.

    If you’ve enabled adaptive (risk-based) MFA in the experience, the risk policy might override this setting based on the policy settings and whether or not a potential security risk is indicated. Learn more in Risk policies.

    MFA Enrollment

    Select to allow users to sign on with just their username and password, but then require them to configure a second authentication method, such as a passkey or one-time passcode (OTP).

    After you select this option, select the applicable MFA policy from the Policy to Evaluate list. Allowed methods are determined by the MFA policy you select.

    To require users to enroll in MFA during sign-on, select the MFA Enrollment Required checkbox. If disabled, users who didn’t enroll an MFA device during registration are prompted to enroll during their next authentication.

  9. Click Next.

  10. On the Summary tab, review the selections you’ve made for your authentication experience.

  11. Click Save.

Result

After you save the experience, you’re returned to the Design Center and the following occurs:

  • The new experience is available in the list of available experiences in the Design Center. You can edit, duplicate, or delete experiences from this list.

    A screenshot of the Design Center page showing the list of three available experiences and the More Options menu.

  • The unique read-only sign-on and registration forms for the experience are listed in the Design Center Forms section of the DaVinci Forms page. You can view the forms, but you can’t edit them directly. If you want to customize the forms, you can duplicate them and edit the copies. Learn more in Forms.

    A screenshot of the Forms page showing the read-only forms for experiences.

    If you created an Identity Provider First experience or another experience for which you didn’t enable registration, there won’t be a registration form.

    Additional read-only forms are created and shared across experiences.

  • The experience is available on the Policies tab for applications as a DaVinci flow policy that you can assign to the application. Learn more in Authentication policies for applications and Applying authentication policies to an application.

    A screenshot of the DaVinci Policies tab for an application showing several experiences which are outlined with a red box.

  • The experience is available in the PingOne DaVinci admin console as a read-only DaVinci flow. If you want to view the flow, you can click DaVinci in the PingOne sidebar to open the DaVinci admin console, and then click Flows. The applicable flows include a Design Center label.

    If you want to refine your experience further to use it for more complex use cases, you can clone and edit the flow in DaVinci.

    You must have the DaVinci Admin role or a custom role with equivalent permissions to clone and customize these flows. If you only want to view the flow, you can have the DaVinci Admin Read Only role or a custom role with equivalent permissions.

    Learn more in Cloning a flow and How to manage flows in the DaVinci documentation.

    A screenshot of the DaVinci admin console showing two read-only flows for experiences.