Okta sign-on policy changes

Sign-on policies have new names in Identity Engine:

  • Okta sign-on policies are now called global session policies.

  • App sign-on policies are now called authentication policies.

Before you upgrade, configure your Okta sign-on policy so you can use features like passwordless login, Okta FastPass, and email magic links in your global session policies.

Where to find the global session policy

To configure global session policies, go to Security >Global Session Policy.

What changed

After you upgrade, the Global Session Policy retains two security settings from Classic Engine. These settings are critical to the security posture of the applications in your organization.

  • A password: for security settings that required password or an external Identity Provider, such as Google or Facebook

  • Require secondary factor: to ensure that a secondary factor remains required in Identity Engine

A new setting called Any factor used to meet the Authentication Policy requirements unlocks the ability to create passwordless experiences. See App sign-on policy changes.

Fine-tune your global session policy

If you use the Sign-In Widget to handle authentication, upgrade to the latest version and make it aware of Identity Engine. See Upgrade your Okta Sign-In Widget.

You can enable a passwordless sign-in experience for your users. For example, you can use email magic links that your users click instead of typing passwords for signing in.

To prepare for this change, do the following:

  1. Audit your apps in Classic Engine and make sure that you require a secondary factor for each one. If you don’t enable a secondary factor for the Okta Admin Console or End-User Dashboard apps, users can access them with a single factor. Okta recommends that you use a secondary factor wherever possible.

  2. On the Add Rule dialog in one of your Okta sign-on policies, clear the Require secondary factor checkbox and create the rule.

  3. If you select Any factor used to meet the Authentication Policy requirements but clear the Require secondary factor checkbox, adjust the applications that call Okta APIs. They expect a secondary factor. See Download and set up the SDK, Sign-In Widget, and sample app.

Related topics

App sign-on policy changes

Sign-on policies

Upgrade your Okta Sign-In Widget

Download and set up the SDK, Sign-In Widget, and sample app