Configure an app sign-on policy
The app sign-on policies let you configure the rules for accessing applications. It verifies that users who try to sign in to the app meet specific conditions, and it enforces factor requirements based on those conditions.
You create an app sign-on policy and then configure rules for it.
Create an app sign-on policy
- In the Admin Console, go to .
- Click the desired app.
- Click the Sign On tab.
- Scroll down to the Sign On Policy section.
Configure an app sign-on policy rule
- Click Add Rule.
- Enter a name in the Rule Name field.
- In the People section, assign this app to users and groups, or select users and groups to exclude from this app:
- Users assigned this app: Select this option to allow users and groups to be assigned to this app from a user profile or group definition.
- The following groups and users: Select this option to assign the app to groups or users that you specify.
- Groups: Enter the first few characters of a group name and select it when it appears in the field. Repeat for each additional group.
- Users: Enter the first few characters of a username and select it when it appears in the field. Repeat for each additional username.
- Exclude the following users and groups from this rule: Select this option to specify groups and users that you want to exclude from the app.
- Excluded Groups
- Enter the first few characters of a group name and select it when it appears in the field. Repeat for each additional group.
- Excluded Users
- Enter the first few characters of a username and select it when it appears. Repeat for each additional username.
- Configure locations for the rule:
- Anywhere: Allow users to connect from anywhere when they attempt to access the app.
- In Zone: Allow users to connect only from network zones that you specify when they attempt to access the app.
- Not in Zone: Block users from accessing the apps from network zones that you specify.
- Specify the network zones that you allow or block connections from:
- All Zones: Select this option to allow or block connections from all network zones.
- Type zone to add: This field appears if you leave All Zones cleared. Click in this field. Enter the first few characters of a network zone name and select it when it appears. Repeat for each additional network zone name. See Network zones and Dynamic zones.
- For Microsoft 365/Office 365 apps only: in the Client section, select the platforms that you want to evaluate according to the client access policy rules. You can trigger actions that you configure in the Actions section (Web browser or Modern Auth client). See the Client section in Office 365 Client Access Policies.
- In the Access section, configure the actions that you want to enforce if the conditions of this policy are fulfilled:
- Allowed: Allow the user to access the app. Configure multifactor authentication responses:
- Prompt for reauthentication: For SAML apps only. Specify how frequently you want users to be prompted to reauthenticate. The time period that you specify begins from the moment the user last authenticated into Okta. When you select this option, the User is prompted to re-enter their password after n minutes option appears. Enter a number for the time interval in the field.
A 10-second grace period applies after a user authenticates with their password. During this grace period, users aren't prompted for their password again if Every sign-on is selected.
This feature is available for all SAML-configured apps.
Because SWA apps don't support re-authentication, you can't change the sign-on method from SAML to SWA if re-authentication is selected.
- Prompt for factor: Require users to choose an MFA factor and specify how frequently you want users to be prompted. The Multifactor Settings link takes you to the Multifactor Authentication page, where you can choose your factors.
- Prompt for reauthentication: For SAML apps only. Specify how frequently you want users to be prompted to reauthenticate. The time period that you specify begins from the moment the user last authenticated into Okta. When you select this option, the User is prompted to re-enter their password after n minutes option appears. Enter a number for the time interval in the field.
- Denied: Block the user from accessing the app.
- Allowed: Allow the user to access the app. Configure multifactor authentication responses:
- Click Save.
Prioritize rules
Set rule precedence by clicking the blue arrows to set the priority number. A rule with a priority value of 1 has first priority and takes precedence over all other rules.
Manage rules
- To edit a rule, click the pencil icon and select the Edit rule option.
- To disable a rule, click the pencil icon and select the disable rule option.
- To delete a rule, click the X icon.
User experience
If a user is blocked from an app, the following message appears:
- Access to this application isn't allowed at this time due to a policy set by your administrator.
- If you're wondering why this is happening, please contact your administrator.
- If it's any consolation, we can take you to your Okta home page.
Related topics
Configure an Okta sign-on policy