App sign-on policies

After you upgrade to Identity Engine, learn about the changes to app sign-on policies.

Change summary Classic Engine: The app sign-on policy allows or denies access to an app. Every app has its own app sign-on policy.

Identity Engine: App sign-on policies are now called authentication policies, and they're shareable across apps.

Admin experience To configure authentication policies, go to Security > Authentication policies.

You can view all authentication policies in one location. You can create a policy yourself, instead of only adding rules to an app's default policy, and you can also share one policy among many apps. This allows you to create and maintain policies at scale and evaluate how each policy impacts application access.

In the authentication policy, the Password or IDP option appears if your org has at least one external Identity Provider configured. Otherwise, Password appears in the interface.

Authentication policies are still viewable on an app's Sign On tab in Applications > Applications. However, you can no longer modify the policy from this location.

User experience Changes to the user experience depend on how you configure new conditions in the policy.

Evaluation of authentication policies is different for OIDC apps. In Classic Engine, an OIDC app sign-on policy is evaluated immediately when a user selects it. In Identity Engine, you can configure OIDC apps with the Redirect to app to initiate login (OIDC compliant) setting. Users who select these apps go first to the initiate login URI. Then, when the app issues an authorize request, the authentication policy is evaluated. MFA prompts appear when the users return to Okta.

Related topics Authentication policies

Create OIDC app integrations

Sign-in flows