App sign-on policies
After you upgrade to Identity Engine, learn about the changes to app sign-on policies.
Change summary | App sign-on policies are now called authentication policies. Every app has one, but Identity Engine lets you share one policy across multiple apps. |
Admin experience |
All authentication policies are visible in the same location: . This page allows you to maintain policies at scale and evaluate how each policy impacts application access.
Configuration settings for authentication policies are the same, with one exception: the Password or IDP option appears if your org has at least one external Identity Provider configured. Otherwise, Password appears in the interface. |
User experience | Changes to the user experience depend on how you configure new conditions in the policy. Evaluation of authentication policies is different for OIDC apps. In Classic Engine, an OIDC app sign-on policy is evaluated immediately when a user selects it. In Identity Engine, you can configure OIDC apps with the Redirect to app to initiate login (OIDC compliant) setting. Users who select these apps go first to the initiate login URI. Then, when the app issues an authorize request, the authentication policy is evaluated. MFA prompts appear when the users return to Okta. |
Related topics | Authentication policies |