App sign-on policy changes

Sign-on policies have new names in Identity Engine:

  • Okta sign-on policies are now called global session policies.

  • App sign-on policies are now called authentication policies.

In Classic Engine, the app sign-on policy allows you to require multifactor authentication (MFA) from users when they access an app, or to allow access without MFA.

In Identity Engine, the authentication policy is customizable. You can configure it to meet specific assurance requirements, such as differentiating access based on the type of app the user is accessing. You can specify user type, risk level, user behavior, network context, device registration, and device management as evaluation criteria. You can also use a public API to create policies and assign them to apps.

Compare policies

This table shows the upgrade paths for common scenarios. In the authentication policy, the Password or IDP option appears if your org has at least one external Identity Provider configured. Otherwise, Password appears in the interface.

Scenario Classic Engine configuration Identity Engine configuration
Users authenticate with at least primary authentication at the beginning of an Okta session

Okta sign-on policy settings

App access settings

Global Session Policy settings

Authentication policy settings

Users authenticate with at least primary authentication at the beginning of the Okta session and an additional prompt for multifactor authentication

App access settings

Authentication policy settings

Users authenticate with primary authentication at the beginning of the session (within one hour of accessing the app)

App access settings

Authentication policy settings

Users authenticate with primary authentication at the beginning of the session (within one hour of accessing the app). Then they provide a second factor when they access the app.

App access settings

Authentication policy settings

OIDC authentication policies

Evaluation of authentication policies is different for OIDC apps.

In Classic Engine, an OIDC app sign-on policy is evaluated immediately when a user selects it. In Identity Engine, you can configure OIDC apps with the Redirect to app to initiate login (OIDC compliant) setting. Users who select these apps go first to the initiate login URI. Then, when the app issues an authorize request, the authentication policy is evaluated. MFA prompts appear when the users return to Okta.

See Create OIDC app integrations using AIW.

Related topics

Okta sign-on policy changes

Sign-on policies