App sign-on policies

After you upgrade to Identity Engine, learn about the changes to app sign-on policies.

Change summary	App sign-on policies are now called authentication policies. Every app has one, but Identity Engine lets you share one policy across multiple apps.
Admin experience	All authentication policies are visible in the same location: Security > Authentication policies. This page allows you to maintain policies at scale and evaluate how each policy impacts application access. You can create a unique policy for each app (instead of only adding rules to an app's default policy). You can use Okta preset policies for apps with standard sign-on requirements. You can share one policy among many apps. You can still view an app's policy at Applications > Applications > Sign-On, but you can't make any changes. Configuration settings for authentication policies are the same, with one exception: the Password or IDP option appears if your org has at least one external Identity Provider configured. Otherwise, Password appears in the interface.
User experience	Changes to the user experience depend on how you configure new conditions in the policy. Evaluation of authentication policies is different for OIDC apps. In Classic Engine, an OIDC app sign-on policy is evaluated immediately when a user selects it. In Identity Engine, you can configure OIDC apps with the Redirect to app to initiate login (OIDC compliant) setting. Users who select these apps go first to the initiate login URI. Then, when the app issues an authorize request, the authentication policy is evaluated. MFA prompts appear when the users return to Okta.
Related topics	Authentication policies Create OIDC app integrations Sign-in flows