Use zones in routing rules

If you configure routing rules for Identity Providers, you can include network zones to control the IP addresses where a rule applies.

For example, you can specify that sign-in requests from IP addresses that come through a gateway or a trusted proxy included in the LegacyIpZone should be routed to the Okta Identity Provider.

By default, there are two network zones reserved for specific scenarios. The BlockedIpZone is reserved for blocking all traffic on the IP addresses or IP address ranges you specify. The LegacyIpZone is primarily reserved for authentication using Integrated Windows Authentication (IWA) agents. You can't use the BlockedIpZone in routing rules. You can use the LegacyIpZone in a routing rule, if applicable.

Before you begin

You must have configured at least one Identity Provider before you can use zones in routing rules. See Identity Providers.

Configure a routing rule

To configure a routing rule:

  1. In the Admin Console, go to Security Identity ProvidersRouting Rules.

  2. Click Add Routing Rule.

  3. Enter a descriptive name for the rule that you want to create in the Rule Name field.

  4. For IF User's IP, select where this rule applies:

    • Select In zone to apply the rule if the user's IP address is within the zone.

    • Select Not in zone to apply the rule if the user's IP address isn't in the zone.

    • Select All Zones or type part of the zone name to specify the zones where the rule applies. For information about creating zones, see Create zones for IP addresses.

  5. Configure additional settings for the device, application, user, and Identity Provider where the rule applies, then click Create Rule.

  6. Click Activate.

Related topics

Network zones

IP zones

Identity Providers