Add behavior to a Global Session Policy rule

Add a behavior to a Global Session Policy rule. All conditions and behaviors of the rule must be met to trigger the rule.

Start this task

  1. In the Admin Console, go to SecurityGlobal Session Policy.
  2. Select the policy to which you want to add rules.

  3. Click Add Rule.

  4. In the Rule name field, add a descriptive name for the rule you want to create.

  5. Optional. In the Exclude users field, indicate which individual users of a group you want to exclude from the rule.

  6. Indicate your conditions.

    • If a user’s IP is: Use the dropdown to assign location parameters. You can specify whether Anywhere, In zone, or Not in zone prompts authentication.

    • Manage configuration for Network: Click the Manage Configurations for Network link to access your gateway settings that enable your choice of access. For details on using this option, see Public Gateway IPs.

    • And Authenticates via: Use this dropdown to specify the required means of authentication.

    • And Behavior is: Enter a behavior type or a named behavior see About behavior types.

    • And Risk is: Select a risk level of Low, Medium, or High to change the level of risk that is needed to match the rule. See Risk scoring.

    • Then Access is...: Based on the authentication form of the previous dropdown menu, use this one to establish whether the condition allows or denies access.

    • And primary factor is: Select Password / IDP or Password / IDP / any factor allowed by app sign on rules. To set up passwordless authentication, see Set up passwordless sign-in experience.

    • And secondary factor: Indicate whether a secondary factor is required. Radio buttons appear that determine whether the prompt is triggered per a device, at every sign-on, or per a session time that you specify. Choosing Every Time doesn't allow end users to control MFA prompts. For details on the user experience for these options, see End User Control of MFA Prompts. At this point, you can make this a passwordless policy. See Set up passwordless sign-in experience.

    • Manage configuration for Multifactor Authentication: Click the Manage Configurations for Multifactor Authentication link for quick access to the Authentication page and the Authenticators tab. See Multifactor authentication for details about each of the authentication options.

    • Factor Lifetime: Specify how much time must elapse before the user is challenged again for the secondary factor. The default lifetime is 15 minutes, and the maximum period is six months.

  7. In the Maximum Okta global session idle time field, specify the maximum idle time before an authentication prompt is triggered. Five minutes before an end user’s session expires, their dashboard displays a countdown timer and an option to extend their session. The default session lifetime is 2 hours, and the maximum allowed time is 90 days.

Related topics

Authentication policies