An Authentication Challenge Policy is the specific mechanism within PingAccess designed to enforce step-up authentication. An administrator can create this policy and apply it via a rule to a select group of resources. When a user attempts to access one of these protected resources, the policy triggers a new authentication event with PingFederate, which can be configured to require a higher level of assurance (e.g., MFA). This directly meets the requirement of applying stronger authentication to specific resources while leaving others under the existing authentication context.

B. Use context root as reserved resource base path: This is an application-level setting that prevents conflicts between the application's URLs and PingAccess's own internal URLs, and is unrelated to authentication policy.

C. Change the Context Root: This action modifies the base URL path for the entire application. It does not selectively apply different authentication requirements to specific resources within that application.

D. Manual Resource Ordering: This feature controls the evaluation priority when a request matches multiple resource paths. While potentially needed for complex rule sets, it does not create the step-up authentication requirement itself.

1. Ping Identity PingAccess 7.3 Administrator's Guide, Section: "Policy", Subsection: "Authentication Challenge Policy".

Quote/Concept: This section explicitly states, "The Authentication Challenge policy forces reauthentication for a request... This policy is useful for step-up authentication scenarios where access to a resource requires a different authentication level or context than the one associated with the existing PingAccess session."

2. Ping Identity PingAccess 7.3 Administrator's Guide, Section: "Configuring rules", Subsection: "Add a rule".

Quote/Concept: This section details the process of creating a rule and selecting a policy type, such as an Authentication Challenge Policy. It also shows how rules are associated with specific resources, demonstrating the granular control required by the scenario.

3. Ping Identity PingAccess 7.3 Administrator's Guide, Section: "Configuring applications", Subsection: "Add an application".

Quote/Concept: This section describes the "Context Root" and "Use Context Root as Reserved Resource Base Path" fields as foundational URL path settings for an entire application, confirming they are not used for per-resource authentication logic.