Add an app sign-in policy rule for mobile

App sign-in policies define how a user must authenticate to gain access to an app. They verify that the user meets specific app requirements, like group membership, the IP zone they're signing in from, risk level, and others. If the user meets the requirements of the app sign-in policy, they're granted access to the app.

You can create a unique policy for each app in your org, or create a few policies and share them across multiple apps. You can use Okta preset policies for apps with standard sign-in requirements.

All new apps, except for API service apps, start with the shared default policy. This policy has a single catch-all rule that allows a user access with two factors. You can add as many rules to the default policy as you need. However, remember that the changes are applied to both new and existing apps that are assigned to the shared default policy.

Rules are numbered. Okta evaluates rules in the same order in which they appear on the app sign-in policy page. You can reorder added rules by clicking and dragging the vertical dotted "handle" that appears under a rule's number.

Okta evaluates the app sign-in policy whenever a user accesses an app. If the user doesn't have an Okta session, Okta also evaluates the Global Session Policy. See Global session policies.

When evaluating whether to apply the policy to a particular user, Okta combines the conditions of a policy and the conditions of its rules. Okta evaluates rules in the order that they appear in the list. If a user doesn't satisfy the conditions of the first rule, Okta evaluates the second rule.

If you've migrated from Device Trust on Classic Engine to Identity Engine, this error appears in the System Log if you have an app sign-in policy that requires registered devices:

Authentication of device via certificate - failure: NO_CERTIFICATE

This is expected behavior and is resolved when you migrate to Okta FastPass. It occurs because the server is attempting a Device Trust challenge with a device that doesn't have a client certificate. The user can still sign in, but the device is considered untrusted. See Configure Okta FastPass.

Before you begin

Start this procedure

  1. Configure an SSO extension on iOS devices.

  2. In the Admin Console, go to SecurityAuthentication Policies.

  3. Click App sign-in.
  4. Select the app sign-in policy that you want to add a rule to.
  5. Click Add rule page.
  6. Type a Rule name to describe the rule.

  7. Configure the appropriate IF conditions to specify when the rule is applied.

    In setting conditions, keep in mind that some conditions are primarily useful for auditing and filtering events and shouldn't be treated as the basis for defining your security posture.

    For example, a malicious actor could easily spoof a device platform, so you shouldn't use the device platform as the key component of an app sign-in policy rule.

  8. Configure the appropriate THEN conditions to specify how authentication is enforced.
  9. Configure the re-authentication frequency, if needed.
  10. Click Save.