Use zones in routing rules

If you configure routing rules for one or more identity providers, you can include network zones to control the IP addresses where a rule applies.

For example, you can specify that sign-in requests from IP addresses that come through a gateway or a trusted proxy included in the LegacyIpZone should be routed to the Okta identity provider.

By default, there are two network zones reserved for specific scenarios. The BlockedIpZone is reserved for blocking all traffic on the IP addresses or IP address ranges you specify. The LegacyIpZone is primarily reserved for authentication using Integrated Windows Authentication (IWA) agents. You can't use the BlockedIpZone in routing rules. You can use the LegacyIpZone in a routing rule, if applicable.

Before you begin

You must have configured at least one identity provider before you can use zones in routing rules. See Identity Providers.

Configure a routing rule

To configure a routing rule:

  1. In the Admin Console, go to Security > Identity Providers > Routing Rules.

  2. Click Add Routing Rule.

  3. Type a descriptive Rule Name for the rule you want to create.

  4. For IF User's IP, select where this rule applies:

    • Select In zone to apply the rule if the user's IP address is within the zone.

    • Select Not in zone to apply the rule if the user's IP address is not in the zone.

    • Select All Zones or type part of the zone name to specify the zones where the rule applies. For information about creating zones, see Create zones for IP addresses.

  5. Configure additional settings for the device, application, user, and identity provider where the rule applies, then click Create Rule.

  6. Click Activate.

Related topics

Network zones

About IP zones

Identity Providers