Okta sign-on policies

After you upgrade to Identity Engine, learn about the changes to Okta sign-on policies.

Change summary Classic Engine: Okta sign-on policies specify actions to take for allowing access, such as prompting for a challenge and setting the time before prompting for another challenge.

Identity Engine: Okta sign-on policies are called global session policies.

Admin experience

To configure global session policies, go to Security > Global Session Policy.

After you upgrade, the Global Session Policy retains two security settings from Classic Engine. These settings are critical to the security posture of the applications in your organization.

  • Establish the user session with is set to A password. This maintains Classic Engine security settings that required a password or an external Identity Provider, such as Google or Facebook.

  • Multifactor authentication (MFA) is is set to Required. This ensures that a secondary factor remains required in Identity Engine.

The Multifactor authentication (MFA) is field has a new policy setting called Any factor used to meet the Authentication Policy requirements. Selecting this lets you create a passwordless experience.

User experience Changes to the user experience depend on the policy settings you configure.
Related topics Global session policies

Sign-in flows