Security Discussions in Communities

VIDEO - A Quick Look at Securing Okta

Authentication

Use the Authentication page to configure password, sign-on, and group password policies. For mobile and wifi policies, navigate to the Devices menu. Some of these options are not visible if they are not enabled for your orgAn abbreviation of organization, but can also be thought of as a company. A company that uses Okta as their SSO portal is generally referred to as an org. As an administrator, you decide how Okta should be displayed and/or integrated with your org..

Policies Overview

Policies are the first line of defense in keeping an organization secure. Okta policies allow control of various elements of security, including end-user passwords, the authentication challenges a user receives, the devices they can use, and the places they use them from. A policy can be based on a variety of factors, such as location, group definitions, and authentication type.

Group Password Policies

Note: If this feature is not enabled for your org, basic password management settings are located in here. For more information, see Configuring an Organization-wide Password Policy.

Group password policies allow you to define password policies and associated rules to enforce password settings on the group and authentication-provider level. You can create multiple policies with more or less restrictive rules and apply them to different groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups.. Use policies to enforce the use of strong passwords to better protect your organization's assets. Password policies apply only to Okta-managed usersIn Okta literature, we generally refer to "users" as the people who serve as Okta administrators. When we refer to "end users" we are generally referring to the people who the administrators serve. That is, those who use Okta chiclets to access their apps, but have no administrative control.; passwords for Active Directory and LDAP-mastered users are managed by their directory service.

When provisioning is enabled, some applications, such as Microsoft Office 365 and Google G Suite, check an Okta password policy when provisioning a user to ensure that the Okta policy meets the application's password requirements. It is sometimes possible for a user's Okta password to meet these requirements while the password policy itself does not, which results in an error during the provisioning attempt. This also applies to possible password policy gaps between Active Directory or LDAP and Okta. If you observe provisioning errors after configuring or editing an Okta password policy, ensure that it meets the application's requirements, typically, eight characters with an upper and lower case character and either a symbol or number.

Note: The default password policy is applied when a user is created. Group assignment on password policy is not evaluated when user is created.

Password Policy Evaluation

There are three general guidelines for password policy evaluation.

  • Complexity requirements are evaluated at the point in time when the password is set.
  • Password expiration is evaluated based on the current policy and when the user last set their password, unless the user's password is already expired in which case it remains expired.
  • For AD-mastered users, the Active Directory complexity requirements should reflect the Active Directory instance.

Okta Sign On Policies

Sign on policy can specify actions to take, such as allowing access, prompting for a challenge, and setting the time before prompting for another challenge. You can specify the order in which policies are executed and add any number of policies. If a policy in the list does not apply to the user trying to sign in, the system moves to the next policy.

You can specify any number of policies and the order in which they are executed. There is one required policy named Default. By definition, the default policy applies to all users.

In addition to the default policy, which you cannot delete, there is another policy named Legacy that is present only if you have already configured MFA. This policy reflects the MFA settings that were in place when you enabled your sign-on policy, and ensures that no changes in MFA behavior occur unless you modify your policy. If needed, you can delete it.

When a policy is evaluated, the conditions in the policy are combined with the conditions in the associated rules. Rules are applied when all these conditions are met.

Note: A policy with no rules cannot be applied.

Policies can contain multiple rules, and the order of the rules determines their behavior.