Add a Network Zone to Okta sign-on policies

Add a Network Zone to sign-on policies to manage network access.

To add a Network Zone to sign-on policies:

  1. In the Admin Console, go to Security > Authentication.
  2. Click the Sign On tab.
  3. Select a sign on policy in the left menu.
  4. Click Add Rule.
  5. In the Rule Name field, add a descriptive name for the rule you want to create.

  6. Complete these fields in the Add Rule dialog box:

    • Rule Name: Enter a name for the rule.

    • Optional. In the Exclude users field, indicate which individual users of a group you want to exclude from the rule.

    • IF User's IP is: Optional. Select the location where this rule should be applied.

      Selecting In zone applies the rule to users within the zone and selecting Not in zone applies the rule to users outside the IP zone.

      After selecting a zone, you'll need to enter the zone name. If zones are not available, you can create them. See Create and configure a Network Zone.

    • AND Authenticates via: Optional. Select how the user is authenticated.

    • AND Behavior is: Optional. Enter the name of a defined behavior. If behaviors are not available, you can create them. See Configure Behavior Detection.

    • AND Risk is: Optional. Select the risk level for the rule. See Risk Scoring.

    • THEN Access is: Select Allowed or Denied to allow or deny the user access when the rule criteria are met. If you select Allowed, you can select these options:

      • Prompt for Factor: Select this option to prompt the user to complete Multifactor Authentication. Click Multifactor Authentication to view and set multifactor settings. See Multifactor Authentication (MFA).

      • Per Device: Select this option to use Multifactor Authentication one time on a single device.

      • Every Time: Select this option to use Multifactor Authentication every time the user signs in.

      • Per Session: Select this option to use Multifactor Authentication every time the user starts a new session.

    • Factor Lifetime: Optional. Set the time limit for a Multifactor Authentication challenge to appear. The default is 15 minutes and the maximum period is 6 months. Setting a factor lifetime is a way for end users to sign out for the amount of time noted in the Factor Lifetime and not have to authenticate again with MFA at the next sign in. End users must check a box to confirm that the setting should be applied. An example is Do not challenge me on this device for the next 15 minutes. In the case, after signing out, there is no MFA prompt if the new sign in is within 15 minutes of the last sign in with MFA. If users do not check the box, they are always prompted for MFA. The time since the last sign in is noted in the bottom of the Dashboard; however, end users must refresh the screen to see the updated value.

    • Session expires after: Optional. Set the time limit in minutes, hours, or days for session expiry and authentication prompt activation. The default session lifetime is 2 hours and the maximum allowed time is 90 days. This value is not the total connect time, but the idle time before users see a countdown timer at the 5-minute mark of remaining session time.

  7. Click Create Rule.

Related topics

About Network Zones

Sign-on policies