Configure a Global Session Policy for Okta FastPass

Create a Global Session Policy that supports Okta FastPass. You can edit your existing Global Session Policy for Okta FastPass, or create a new Global Session Policy if you don't currently have a Global Session Policy.

Edit an existing Global Session Policy for Okta FastPass

Complete this procedure if you already have a Global Session Policy and you want to configure it for Okta FastPass.

  1. In the Admin Console, go to Security > Global Session Policy.
  2. Click your Global Session Policy.
  3. Click Add Rule.
  4. Create a rule for your Global Session Policy. See Add a Global Session Policy rule, but for step 6, configure the following conditions as described:
    • AND Primary factor is : Select Password / IDP / any factor allowed by app sign on rules This allows Okta FastPass users to have passwordless authentication.
    • Important: Changing the default configuration to Password / IDP / any factor allowed by app sign on rules will affect all of your protected apps. It removes the global password requirement from the Global Session Policy and transfers responsibility for defining and enforcing authentication criteria to each of your authentication policies. Before you change this configuration, create strong app sign-on policies for all of your apps. If you don't do this for all of your apps, users could be able to access apps with any single enrolled factor.

    • AND Secondary factor is: Clear the Require secondary factor checkbox. This allows Okta FastPass users to sign in without using biometrics.
  5. If required, change the rule priority.

Create a new Global Session Policy for Okta FastPass

Complete this procedure if you don't have an Global Session Policy.

  1. In the Okta Admin Console, go to Security > Global Session Policy.

  2. Click Add New Global Session Policy.

  3. In the Policy Name field, enter a name for the policy. For example, Okta FastPass policy.

  4. Optional. In the Policy Description field, enter a description for the policy.

  5. In the Assign to Groups field, enter the name of one or more groups in your org. As you type, a list of group names display that match your text. Click a group name from the list, or type the full group name and then press Enter.

    To see the groups that currently exit in your org, go to Directory > Groups.

  6. Click Create Policy and Add Rule.

  7. Add a rule to your Global Session Policy:

    1. In the Rule Name field, enter a name for the rule. For example, Okta FastPass rule for managed devices.
    2. Optional. In the Exclude Users field, enter the names of users (that exist within the group) to exclude from the rule.
    3. Specify the conditions for the rule:
      Condition Configuration Description
      IF User’s IP isAnywhereConfigures the permitted user location, based on their IP address. Select one of the following:
      • Anywhere (default): Any location.
      • In zone: Within the specified zone(s). Select the All Zones checkbox to specify all zones, or enter specific zones in the Zones field.
      • Not in zone: Not within the specified zone(s). Select the All Zones checkbox to specify all zones, or enter specific zones in the Zones field.

      If required, click the Manage Configurations for Network link to add or edit network zones.

      See Network zones.

      AND Identity provider isAnyConfigures the required Identity Provider (IdP). Select one of the following:
      • Any (default): Okta or Specific IdP.
      • Okta: Only Okta.
      • Specific IdP: Only the Identity Provider that is specified in the field.
      • See Add a social login (IdP) to add Identity Providers to this list.

      This is an Early Access feature. To enable it, contact Okta Support.

      AND Authenticates via

      Any

      Configures the interface that can be used for authentication. Select one of the following:

      • Any (default): Any interface.

      • LDAP interface: Only a Lightweight Directory Access Protocol (LDAP) interface.

      AND Behavior is

      (leave blank)

      Optional. Configures the behavior allowed based on changes in location, device, IP address or velocity from which Okta is accessed. Enter a behavior type or a named behavior.

      AND Risk is

      Any

      Configures the risk score tolerance for sign-in attempts. Select one of the following:

      • Any (default): The risk score can be low, medium, or high.

      • Low: The risk score must be low.

      • Medium: The risk score must be medium.

      • High: The risk score must be high.

      See Risk scoring.

      THEN Access is

      Allowed

      Configures whether users have access if the policy conditions are true. Select one of the following:

      • Allowed (default): Users are granted access if the conditions are true.

      • Denied: Users are not granted access if the conditions are true.

      AND Primary factor is

      Password / IDP / any factor allowed by app sign on rules

      Configures the primary authentication factor. Select one of the following:

      • Password / IDP (default): Users are required to provide a password or Identity Provider before they are provided access.

      • Password / IDP / any factor allowed by app sign on rules : Users are required to provide a password, Identity Provider, or other authentication factor. This setting is recommended for Okta FastPass, to allow for passwordless authentication.

      • Note: this removes the global password requirement from the Global Session Policy and transfers responsibility for defining and enforcing authentication criteria to each of your app sign-on policies. Before you enable this option, create strong app sign-on policies for all of your apps. If you don't do this for all of your apps, users could be able to access apps with any single enrolled authentication factor.

      AND Secondary factor is

      Clear the Require secondary factor checkbox.

      Configures whether a secondary authentication factor is required. Set the Require secondary factor checkbox to be:

      • Selected (default): Users are prompted for a secondary authentication factor (for example, biometrics). When selected, you must also configure when users are prompted for a secondary factor:
        • Per Device: Users are prompted once on each device.
        • Every Time: Users are prompted each time they sign-in.
        • Per Session: Users are prompted at each session time that you specify. You must also set the Factor Lifetime when this is selected.
      • Clear: Users are not prompted for a secondary authentication factor. Allows Okta FastPass users to sign in without using biometrics.

      If required, click Manage Configurations for Multifactor Authentication to access the Authenticators page.

      See About MFA authenticators.

      Factor Lifetime

      Not applicable.

      Configures how much time must elapse before a user is challenged again for a secondary authentication factor. This parameter is only available if AND Secondary factor is is set to Selected and Per Session. The default setting is 15 minutes; the maximum is six months.

      Session expires after

      As desired.

      Configures the maximum time that a user session can be idle before an authentication prompt is triggered.

      Five minutes before an end user’s session expires, their dashboard displays a countdown timer and an option to extend their session. The default setting for a session lifetime is two hours; the maximum is 90 days.

    4. Click Create Rule.

Related topics