Add behavior to a Global Session Policy rule

Add a behavior to an existing Global Session Policy rule. All of the conditions of the rule in addition to the behaviors must be met to trigger the rule.

Start this task

  1. In the Admin Console, go to Security > Global Session Policy.
  2. Select the policy to which you want to add rules.

  3. Click Add Rule.

  4. In the Rule name field, add a descriptive name for the rule you want to create.

  5. Optional. In the Exclude users field, indicate which individual users of a group you want to exclude from the rule.

  6. Indicate your conditions.

    • If a user’s IP is: Use the drop-down menu to assign location parameters. You can specify whether Anywhere, In zone, or Not in zone will prompt authentication.

    • Manage configuration for Network: Click the Manage Configurations for Network link to access your gateway settings that enable your choice of access. For details on using this option, see Public Gateway IPs.

    • And Authenticates via: Use this drop-down menu to specify the required means of authentication.

    • And Behavior is: Enter a behavior type or a named behavior see About Behavior types.

    • And Risk is: Select a risk level of Low, Medium, or High to change the level of risk that is needed to match the rule. See Risk scoring.

    • Then Access is...: Based on the authentication form of the previous drop-down menu, use this one to establish whether the condition allows or denies access.

    • And primary factor is: Select Password / IDP or Password / IDP / any factor allowed by app sign on rules. To set up passwordless authentication, see Set up passwordless sign-in experience.

    • And secondary factor: Indicate whether a secondary factor is required. Selecting this box also displays radio buttons that determine whether the prompt is triggered per a device, at every sign-on, or per a session time that you specify. Choosing Every Time does not allow end users to control MFA prompts. For details on the user experience for these options, see End User Control of MFA Prompts. At this point, you can make this a passwordless policy. See Set up passwordless sign-in experience.

    • Manage configuration for Multifactor Authentication: Click the Manage Configurations for Multifactor Authentication link for quick access to the Authentication page and the Authenticators tab. See Multifactor Authentication for details about each of the authentication options.

    • Factor Lifetime: If you require a secondary factor, use this drop-down menu to specify how much time must elapse before the user is challenged again for the secondary factor. The default lifetime is 15 minutes, and the maximum period is 6 months.

  7. In the Session Expires After field, specify the maximum idle time before an authentication prompt is triggered. Five minutes before an end user’s session expires, their dashboard displays a countdown timer and an option to extend their session. The default session lifetime is 2 hours, and the maximum allowed time is 90 days.

Related topics

Authentication policies