Configure a Global Session Policy for Okta FastPass

Create a Global Session Policy that supports Okta FastPass. You can edit your existing Global Session Policy for Okta FastPass, or create a new Global Session Policy if you don't currently have a Global Session Policy.

Edit an existing Global Session Policy for Okta FastPass
Create a new Global Session Policy for Okta FastPass

Edit an existing Global Session Policy for Okta FastPass

Complete this procedure if you already have a Global Session Policy and you want to configure it for Okta FastPass.

In the Admin Console, go to Security > Global Session Policy.
Click your Global Session Policy.
Click Add Rule.
Create a rule for your Global Session Policy. See Add a global session policy rule, but for step 6, configure the following conditions as described:

Establish the user session with: Select Any factor used to meet the Authentication Policy requirements. This allows Okta FastPass users to have passwordless authentication.

Important: Changing the default configuration to Any factor used to meet the Authentication Policy requirements affects all of your protected apps. It removes the global password requirement from the Global Session Policy and transfers responsibility for defining and enforcing authentication criteria to each of your authentication policies. Before you change this configuration, create strong app sign-on policies for all of your apps. If you don't do this for all of your apps, users could be able to access apps with any single enrolled factor.

AND Multifactor authentication (MFA) is: Select the Not required option. This allows Okta FastPass users to sign in without using biometrics.

If required, change the rule priority.
Click Create rule to save.

Create a new Global Session Policy for Okta FastPass

Complete this procedure if you don't have an Global Session Policy.

In the Okta Admin Console, go to Security > Global Session Policy.
Click Add policy.
In the Policy Name field, enter a name for the policy. For example, Okta FastPass policy.
Optional. In the Policy Description field, enter a description for the policy.
In the Assign to Groups field, enter the name of one or more groups in your org. As you type, a list of group names display that match your text. Click a group name from the list, or type the full group name and then press Enter.

To see the groups that currently exist in your org, go to Directory > Groups.
Click Create Policy and Add Rule.

Add a rule to your Global Session Policy:

In the Rule Name field, enter a name for the rule. For example, Okta FastPass rule for managed devices.
Optional. In the Exclude Users field, enter the names of users (that exist within the group) to exclude from the rule.

Specify the conditions for the rule:

Condition Configuration Description IF User’s IP is Anywhere Configures the permitted user location, based on their IP address. Select one of the following: Anywhere (default): Any location. In zone: Within the specified zone(s). Select the All Zones checkbox to specify all zones, or enter specific zones in the Zones field. Not in zone: Not within the specified zone(s). Select the All Zones checkbox to specify all zones, or enter specific zones in the Zones field. If required, click the Manage Configurations for Network link to add or edit network zones. See Network zones. AND Identity provider is Any Configures the required Identity Provider (IdP). Select one of the following: Any (default): Okta or Specific IdP. Okta: Only Okta. Specific IdP: Only the Identity Provider that is specified in the field. See Add a social login (IdP) to add Identity Providers to this list. This is an Early Access feature. To enable it, contact Okta Support. AND Authenticates via Any Configures the interface that can be used for authentication. Select one of the following: Any (default): Any interface. LDAP interface: Only a Lightweight Directory Access Protocol (LDAP) interface. AND Behavior is (leave blank) Optional. Configures the behavior allowed based on changes in location, device, IP address or velocity from which Okta is accessed. Enter a behavior type or a named behavior. AND Risk is Any Configures the risk score tolerance for sign-in attempts. Select one of the following: Any (default): The risk score can be low, medium, or high. Low: The risk score must be low. Medium: The risk score must be medium. High: The risk score must be high. See Risk scoring. THEN Access is Allowed Configures whether users have access if the policy conditions are true. Select one of the following: Allowed (default): Users are granted access if the conditions are true. Denied: Users are not granted access if the conditions are true. Establish the user session with Any factor used to meet the Authentication Policy requirements Configures the primary authentication factor. Select one of the following: A password (default): Users are required to provide a password or Identity Provider before they are provided access. Any factor used to meet the Authentication Policy requirements: Users are required to provide a password, Identity Provider, or other authentication factor. This setting is recommended for Okta FastPass, to allow for passwordless authentication. Note: this removes the global password requirement from the Global Session Policy and transfers responsibility for defining and enforcing authentication criteria to each of your app sign-on policies. Before you enable this option, create strong app sign-on policies for all of your apps. If you don't do this for all of your apps, users could be able to access apps with any single enrolled authentication factor. Multifactor authentication (MFA) is: Not required Configures whether a secondary authentication factor is required. If Multifactor authentication is required, choose the frequency at which users are prompted for MFA: At every sign in: Users are prompted for a secondary authentication factor each time they log in. When signing in with a new device cookie: If the user's device cookie has changed, they're prompted to authenticate with MFA. After MFA lifetime expires for the device cookie: When the session cookie expires, users are prompted to authenticate with MFA. See About MFA authenticators. Maximum Okta session lifetime No time limit Configures how much time must elapse before a user is challenged again for a secondary authentication factor. Expire session after user has been idle on Okta for As desired. Configures the maximum time that a user session can be idle before an authentication prompt is triggered. Five minutes before an end user’s session expires, their dashboard displays a countdown timer and an option to extend their session. The default setting for a session lifetime is two hours; the maximum is 90 days. Persist session cookies across browser sessions As desired. If enabled, when the user reopens the same browser, they aren't asked to sign in again if the session is still active.

Click Create Rule.

Condition	Configuration	Description
IF User’s IP is	Anywhere	Configures the permitted user location, based on their IP address. Select one of the following: Anywhere (default): Any location. In zone: Within the specified zone(s). Select the All Zones checkbox to specify all zones, or enter specific zones in the Zones field. Not in zone: Not within the specified zone(s). Select the All Zones checkbox to specify all zones, or enter specific zones in the Zones field. If required, click the Manage Configurations for Network link to add or edit network zones. See Network zones.
AND Identity provider is	Any	Configures the required Identity Provider (IdP). Select one of the following: Any (default): Okta or Specific IdP. Okta: Only Okta. Specific IdP: Only the Identity Provider that is specified in the field. See Add a social login (IdP) to add Identity Providers to this list. This is an Early Access feature. To enable it, contact Okta Support.
AND Authenticates via	Any	Configures the interface that can be used for authentication. Select one of the following: Any (default): Any interface. LDAP interface: Only a Lightweight Directory Access Protocol (LDAP) interface.
AND Behavior is	(leave blank)	Optional. Configures the behavior allowed based on changes in location, device, IP address or velocity from which Okta is accessed. Enter a behavior type or a named behavior.
AND Risk is	Any	Configures the risk score tolerance for sign-in attempts. Select one of the following: Any (default): The risk score can be low, medium, or high. Low: The risk score must be low. Medium: The risk score must be medium. High: The risk score must be high. See Risk scoring.
THEN Access is	Allowed	Configures whether users have access if the policy conditions are true. Select one of the following: Allowed (default): Users are granted access if the conditions are true. Denied: Users are not granted access if the conditions are true.
Establish the user session with	Any factor used to meet the Authentication Policy requirements	Configures the primary authentication factor. Select one of the following: A password (default): Users are required to provide a password or Identity Provider before they are provided access. Any factor used to meet the Authentication Policy requirements: Users are required to provide a password, Identity Provider, or other authentication factor. This setting is recommended for Okta FastPass, to allow for passwordless authentication. Note: this removes the global password requirement from the Global Session Policy and transfers responsibility for defining and enforcing authentication criteria to each of your app sign-on policies. Before you enable this option, create strong app sign-on policies for all of your apps. If you don't do this for all of your apps, users could be able to access apps with any single enrolled authentication factor.
Multifactor authentication (MFA) is:	Not required	Configures whether a secondary authentication factor is required. If Multifactor authentication is required, choose the frequency at which users are prompted for MFA: At every sign in: Users are prompted for a secondary authentication factor each time they log in. When signing in with a new device cookie: If the user's device cookie has changed, they're prompted to authenticate with MFA. After MFA lifetime expires for the device cookie: When the session cookie expires, users are prompted to authenticate with MFA. See About MFA authenticators.
Maximum Okta session lifetime	No time limit	Configures how much time must elapse before a user is challenged again for a secondary authentication factor.
Expire session after user has been idle on Okta for	As desired.	Configures the maximum time that a user session can be idle before an authentication prompt is triggered. Five minutes before an end user’s session expires, their dashboard displays a countdown timer and an option to extend their session. The default setting for a session lifetime is two hours; the maximum is 90 days.
Persist session cookies across browser sessions	As desired.	If enabled, when the user reopens the same browser, they aren't asked to sign in again if the session is still active.

Configure a Global Session Policy for Okta FastPass

Edit an existing Global Session Policy for Okta FastPass

Create a new Global Session Policy for Okta FastPass

Related topics