Security Context for Policy Rule Conditions

This is an Early Access feature. To enable it, use the Early Access Feature Manager as described in Manage Early Access and Beta features .

Security Context for Policy Rule Conditions enables admins to build custom security heuristics using signals derived from Okta. A security heuristic is an expression that has multiple conditions joined by various operators.

When defined, security heuristics can be used as part of Okta sign-on policy rules as a measure to take action and further secure end-user authentication.

Security heuristics can be defined based on Expression Language, which is also commonly used to define Universal Directory mappings and app provisioning in Okta.

Feature group and expression language

Feature Group Feature Name Type Note
ThreatInsight IPs flagged by ThreatInsight security.ip.isSuspicious Boolean An IP is considered suspicious if ThreatInsight flags it as a high threat.
IP Reputation
Tor Exit Node
Anonymizing Proxy
security.ip.isTorProxy
security.ip.isAnonymousProxy
Boolean
Boolean
 
 
Risk Level Risk Level security.risk.level String

LOW/MEDIUM/HIGH

Based on the risk level determined by the risk scoring feature.

User Behavior All User Behaviors available for your org through Behavior Detection. security.userBehaviors['behaviorName'].detected Boolean Previously configured behaviors can be passed using the name of the predefined behaviors in the expression. The names of these behaviors are unique.

Expression Examples

Expression unrecognized IPs OR unrecognized devices OR if risk is medium or high

  1. Create a new behavior policy for new device and new IP.
  2. Define the expression language if the IP OR device is not recognized OR if risk is medium or high.

security.userBehaviors['NewIP'].detected OR security.userBehaviors['NewDevice'].detected OR security.risk.level=='HIGH' OR security.risk.level == 'MEDIUM'

Expression for suspicious IPs

security.ip.isSuspicious

Expression for standard risk based authentication with factor chaining but add Tor Proxy

security.risk.level == 'HIGH' OR security.ip.isTorProxy

For more information, see Expression Language Overview.

Define Security Context for sign-on policies

Configure Security Context for sign-on policies.

Before you begin

  • Create a new or use an existing sign-on policy.
  • Adaptive MFA must be enabled.
  • The maximum number of conditions in a heuristic is 30.
  • The expression language for Security Context supports a subset of operators such as:
    • AND
    • OR
    • ==
    • !=
    • !or NOT

Start this task

To define Security Context for sign-on policies:

  1. In the Admin Console, navigate to Security > Authentication.
  2. Click the Sign On tab to access sign-on policies.
  3. Select a sign-on policy.
  4. Add a new rule or edit an existing sign-on policy rule.
  5. Under Conditions, toggle Advanced mode to enable Security Context.
  6. Under the AND Security Context is condition, enter the expression language to define security signals.
  7. Click Create Rule or Update Rule to proceed with your changes.