General Security

In General Security, you can configure security settings for your organization such as user notification emails, global org security settings, MFA for admins, and security policies for Okta Mobile users.

To access these settings in the adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. console, navigate to Security > General.

 

 

Security Notification Emails


Navigate to Security > General > Security Notification Emails to configure notification emails for end usersIn Okta literature, we generally refer to "end users" as the people who have their own Okta home page (My Applications), using apps to authenticate into all of their apps. End users do not have any administrative control. When we refer to "users" we are generally referring to the individual(s) who have administrative control..

 

New sign-on notification email

End users receive an email notification if they sign in from a new or unrecognized clientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. . This email contains user sign-on details such as the web browser and operating system used to sign in, in addition to the time and location of authentication. Refer to Limitations for more information about the limitations for identifying new clients.

Note: This feature is enabled by default for new orgs.

MFA enrolled notification email

End users are sent a confirmation email if they or an admin enroll in a new factor for their account. For more information about email notifications and template customization, refer to Email and SMS Options.

MFA reset notification email

End users are sent an email if they or an admin reset a factor for their account. For more information about email notifications and template customization, refer to Email and SMS Options.


Report suspicious activity via email

Suspicious Activity Reporting provides an end user with the option to report unrecognized activity from an account activity email notification. For more information, refer to Suspicious Activity Reporting.

 

New sign-on notification emails: Limitations

New sign-on notification emails complement other security features such as multifactor authentication and should not act as a replacement. In most scenarios, clients are easily and accurately identified but there are some limitations.

 

 

Organization Settings


Navigate to Security > General > Organization to configure global organization settings.

 

"Remember Me" checkbox on sign in

This setting displays or hides the Remember Me checkbox for end users at the sign-in screen. If an end user checks this feature and signs in, their username is remembered and displayed at sign-on until their browser cookies are cleared.

Activation emails are valid for

Sets the link expiry in the account activation email sent to end users. For more information about email notifications, refer to Email and SMS Options.


 

 

Okta Mobile Settings


Changes to Okta Mobile security settings may take up to 24 hours to be applied to all the eligible end usersEnd users who have installed a version of Okta Mobile that supports these Early Access security settings. in your orgThe Okta container that represents a real-world organization. and for Okta to prompt those end users to update their PIN. ClosedScreenshot

 

Go to Security > General > Okta Mobile to configure the following:

PIN length

Specify the required number of digits for the PIN.

Allow simple PIN

Select to permit the use of repeating, ascending, and descending numeric sequences (such as 1111, 1234, 4321, etc.).

Ask for PIN when user is inactive for

Specify how long users can be inactive before they are prompted to enter a PIN. ClosedMore

Users must re-authenticate after prolonged Okta Mobile inactivity — Users who have not used Okta Mobile for 30+ days are prompted to enter their Okta credentials when they eventually open Okta Mobile. This occurs because Okta Mobile relies on an internal token for authentication that expires after 30 days of inactivity. This token expiration is separate from PIN and MFA expiration occurrences.

PIN expires after Specify how long the PIN is valid before it expires. ClosedMore

Users must re-authenticate after prolonged Okta Mobile inactivity — Users who have not used Okta Mobile for 30+ days are prompted to enter their Okta credentials when they eventually open Okta Mobile. This occurs because Okta Mobile relies on an internal token for authentication that expires after 30 days of inactivity. This token expiration is separate from PIN and MFA expiration occurrences.

Device trust Select to apply existing device trust app sign-on policiesTo enable overall Device Trust for an org, go to Security > Device Trust. To define a Device Trust app sign-on policy for eligible apps, go to Applications > Sign On tab > Sign On Policy. to apps that end users access through Okta Mobile. This setting is enabled by default. If you have not configured device trust policies to apps, or if device trust is not enabled for your org (Security > Device Trust), selecting this setting has no effect.
Screen preview/capture (Android only) When this option is selected, Android device users cannot take screenshots, record videos, or share their screen from within Okta Mobile (other apps are not affected). Requires Okta Mobile 3.8.0+ for Android. For iOS device users, this option has no effect.
Sign on to SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IdP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on an app, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated. apps (iOS only) This iOS-specific option allows access to SAML apps in iOS Safari using an iOS Safari extension.

 

 

Okta ThreatInsight


ThreatInsight aggregates data across the Okta customer base and uses this data to detect malicious IP addresses that attempt credential-based attacks.

Refer to Okta ThreatInsight for more details about this feature.

 

 

MFA for Admins


Super admins can enable mandatory multifactor authentication for all administrators signing in to Okta Administration.

Refer to MFA for Admins for more details about this feature.

 

 

Related Topics


 

 

Top