Add behavior to an Okta sign-on policy rule

Add a behavior to an existing sign-on policy rule. All of the conditions of the rule in addition to the behaviors must be met to trigger the rule.

Start this task

  1. In the Admin Console, go to Security > Authentication.
  2. Select the policy that you want to add rules to.

  3. Click Add Rule.

  4. In the Rule name field, add a descriptive name for the rule you want to create.

  5. Optional. In the Exclude users field, indicate which individual users of a group you want to exclude from the rule.

  6. Indicate your conditions.

    • If a user’s IP is: Use the drop-down menu to assign location parameters. You can specify whether Anywhere, In zone, or Not in zone will prompt authentication.

    • Manage configuration for Network: Click the Manage Configurations for Network link to access your gateway settings that enable your choice of access.

    • And Authenticates via: Use this drop-down menu to specify the required means of authentication.

    • And Behavior is: Enter a behavior type or a named behavior see Security Behavior Detection types. See About Security Behavior Detection

    • And Risk is: Select a risk level of Low, Medium, or High to change the level of risk that is needed to match the rule. See Risk Scoring.

    • Then Access is...: Based on the authentication form of the previous drop-down menu, use this one to establish whether the condition allows or denies access.

    • And primary factor is: Select Password / IDP or Password / IDP / any factor allowed by app sign on rules. To set up passwordless authentication, see Configure passwordless authentication with email magic link.

    • And secondary factor: Indicate whether a secondary factor is required. Selecting this box also displays radio buttons that determine whether the prompt is triggered per a device, at every sign-on, or per a session time that you specify. Choosing Every Time does not allow end users to control MFA prompts. For details on the user experience for these options, see End User Control of MFA Prompts. Note: At this point, you can make this a passwordless policy.

    • Manage configuration for Multifactor Authentication: Click the Manage Configurations for Multifactor Authentication link for quick access to the Authentication page and the Authenticators tab. See Authenticators and MFA Enrollment for details about each of the authentication options.

    • Factor Lifetime: If you require a secondary factor, use this drop-down menu to specify how much time must elapse before the user is challenged again for the secondary factor. The default lifetime is 15 minutes, and the maximum period is 6 months.

  7. In the Session Expires After field, specify the maximum idle time before an authentication prompt is triggered. Five minutes before an end user’s session expires, their dashboard displays a countdown timer and an option to extend their session. The default session lifetime is 2 hours, and the maximum allowed time is 90 days.

Related topics

App sign-on policies