Stay signed in

Stay signed in lets users establish an Okta session that continues after they close and reopen their browser. Users who choose to stay signed in aren't prompted again for MFA for the amount of time defined in your global session policy.

There are two ways to present this option to your users. By default, it's displayed on the Sign-In Widget when users enter their credentials. You can also configure it so that the prompt appears after users authenticate. This configuration is better for orgs that use delegated authentication or identity providers, because their users may bypass the credential entry page of the Sign-In Widget.

Stay signed in is recommended for users on private devices or networks. Users who suspect that their credentials have been compromised can end all sessions in their account settings.

Before you begin

Optional. Enable the usePersistentCookie option in the API if you want users to stay signed in across browser sessions. See Session and persistent Single Sign-On.

Configure the feature

  1. In the Admin Console, go to SecurityGeneral.
  2. In the Organizational Security section, click Edit.

  3. To show the option on the Sign-In Widget only, enable the feature, and then select Before users sign in. This is the default setting.

  4. To show the option on the Sign-In Widget and after users authenticate, enable the feature, and then select Before and after users sign in. This option is recommended for orgs that use delegated authentication or identity providers.

  5. To hide the Stay signed in options, select Not Enabled.

  6. Click Save.

Modify your policies

Be sure that the rules in your global session and authentication policies accommodate the Stay signed in feature.

  1. Create a global session policy or Edit a global session policy.

  2. Set the following rule conditions:

    • Multifactor authentication (MFA) is: Required.

    • Users will be prompted for MFA: Select When signing in with a new device cookie or After MFA lifetime expires for the device cookie.

    • Okta global session cookies persist across browser sessions: Enable this option if you enabled the usePersistentCookie option in the API.

  3. To extend the Stay signed in feature to an app, update its authentication policy.

  4. Set the following rule conditions:

    • User must authenticate with: Select 2 factor types (either option).

    • Prompt for authentication: Select When an Okta global session doesn't exist.

User experience

In a standard authentication flow, users select Keep me signed in after they enter their username in the Sign-In Widget, and then they provide MFA options to complete their authentication. The next time they access your org, users aren't prompted for MFA.

In an integrated authentication flow, users who go to your org's sign-in page may be redirected to an identity provider before they can select Keep me signed in. If you enabled the Before and after users sign in option, these users are prompted to choose Stay signed in or Don't stay signed in when they're redirected back to Okta. After they make a selection, the options are hidden the next time they sign in.

Users can manually sign out all sessions (including the current one) by going to their account settings menu and selecting Remembered devices End all sessions. The next time they access your org, the Stay signed in option is displayed.

Related topics

General Security

Sign-in flows