App sign-on policies

• You can create a unique policy for each app (instead of only adding rules to an app's default policy).

• You can use Okta preset policies for apps with standard sign-on requirements.

• You can share one policy among many apps.
• You can still view an app's policy at ApplicationsApplicationsSign-On, but you can't make any changes.

Configuration settings for app sign-in policies are the same, with one exception: the Password or IDP option appears if your org has at least one external Identity Provider configured. Otherwise, Password appears in the interface.

• Evaluation of app sign-in policies is different for OIDC apps. In Classic Engine, an OIDC app sign-on policy is evaluated immediately when a user selects the app. In Identity Engine, you can configure OIDC apps with the Redirect to app to initiate login (OIDC compliant) setting. Users who select these apps go first to the initiate login URI. Then, when the app issues an authorize request, the app sign-in policy is evaluated. MFA prompts appear when the users return to Okta.

• In Classic Engine, if your app sign-on policy is configured for two authentication factors (for example, Password / Any IdP + Any authenticator), Okta Verify users must provide two factors to satisfy the condition (for example, enter a password and accept an Okta Verify Push notification). In Identity Engine, users satisfy the two-factor condition by approving only an Okta Verify notification and providing biometrics.