About behavior and sign-on policies

Admins can add behavior conditions in sign-on policies using an expression. Behavior describes a change in location, device, IP address or velocity from which Okta is accessed.

A behavior heuristic is an expression that has multiple behavior conditions joined by an operator. When defined, behavior heuristics can be used as part of the sign-on policy rule as a measure to take action and further secure end-user authentication.

Behavior and Expression Language

Behaviors, that are available for your org through Behavior Detection, are available using Expression Language. Pass a behaviorName in the expression security.behaviors.contains('behaviorName').

Create a custom behaviorName or use one of the following behaviorName defaults:

  • New IP
  • New Device
  • New Location
  • New Velocity

For more information, see Expression Language Overview.

Expression examples

Unrecognized IPs OR unrecognized devices

  1. Create a new behavior policy for New Device and New IP. See Configure Behavior Detection.
  2. Define the expression language if the IP OR Device is not recognized.

security.behaviors.contains('New IP') || security.behaviors.contains('New Device')

Unrecognized IP AND unrecognized devices

security.behaviors.contains('New IP') && security.behaviors.contains('New Device')

Related Topic

Add an authentication policy rule

Add a Global Session Policy rule