Get started with authentication policies

In this use case, you'll set up an authentication policy for a higher level of assurance that comes from the type of factor used. For example, a knowledge factor like a password is not as secure as an inherence factor like a fingerprint. A secondary authentication method at the org level is now required.

Setup and configuration

Create a Global Session Policy

  1. In the Admin Console, go to Security > Global Session Policy.

  2. Click Add a New Global Session Policy.
  3. In the Add Policy dialog, add a Policy Name and optional Policy Description.
  4. In the Assign to Groups field, select Everyone, then click Create Policy and Add Rule.
  5. In the Add Rule dialog, in the ANDPrimary factor is field, select Password / IDP / any factor allowed by app sign on rules.
  6. In the AND Secondary factor field, select Requires secondary factor, and then select  Every time. This option prevents users from controlling their own MFA prompts, so it's suitable for use with behavior conditions, which detect high-risk sign-in events.
  7. Click Create Rule.

The Per device and Per session options reduce MFA for a group of users. Because it allows users to bypass MFA if they appear to be signing in from the same device (based on a browser cookie), they're only appropriate for low-risk, low-assurance use cases. They shouldn't be used with behavior conditions.

Create groups

Create a group for sign-in and add a person to it. These example steps use bookmark apps, but use the app integration you need for each app.

  1. In the Admin Console, go to Directory > Groups.
  2. Click Add Group.
  3. In the Add Group dialog, enter a Name(for example, Group for low assurance app).
  4. Enter a Group Description and click Save.
  5. Go to Directory > People and click Add person.
  6. In the Add Person dialog, add a First name, Last name, Username, and Primary email. Add your own email to the Secondary email field.
  7. In the Groups field, select the group you created in step 2.
  8. In the Password field, select Set by admin.
  9. Enter a password, and then clear User must change password on first login.
  10. Click Save.
  11. Repeat this process for another group (for the high assurance app).

Create bookmark apps

  1. In the Admin Console, go to Applications > Applications.
  2. Select Browse App Catalog.
  3. In the Search box, type bookmark app, select Bookmark App and click Add.
  4. On the Add Bookmark App screen, change the Application label to Bookmark for low assurance app.
  5. Enter a URL and click Done. Because this app is for demonstration purposes only, you can choose any URL you like. In a real environment, you would use the URL of the app you're setting up SSO for.
  6. Select the Assignments tab.
  7. Select Assign > Assign to Groups and select Assign for Group for low assurance app. Don't click the group name unless you want to review the group properties.
  8. Click Done.
  9. Repeat this process for another bookmark app that you will use to create the second authentication policy (Bookmark for high assurance app).

Create authentication policies

Create an authentication policy that requires one factor type and another that requires two factor types. When creating an authentication policy, you should consider who the policy applies to. Which specific users, groups, user types, or specific users should this policy apply to?

Authentication policy for low assurance app

  1. In the Admin Console, go to Security > Authentication Policy.

  2. Click Add a policy.

  3. Enter a policy Name and Description.

  4. Click Save.

  5. On the Rules tab, click Add rule.
  6. Enter a Rule Name (for example, Low assurance app rule).
  1. In the AND User's user type is field, select Any user type.
  2. In the AND User's group membership includes a field, select At least one of the following groups.
  3. Start typing the name of the group you created in the prerequisites and then select it (for example, Group for low assurance app).
  4. In the AND User is field, select Any user.
  5. In the AND Device State field, select Any.
  6. Use default values for ANDDevicePlatform (Any platform) and the ANDUser'sIP (AnyIP). Also, leave the ANDThe following custom expression is true field blank. You can use Expression Language to add a custom expression to an authentication policy.
  7. For the AND User must authenticate with field, select Any 1 factor type. The app-level sign-on policy presents the user with a list of their enrolled authenticators (including password), allowing them to pick the one they want to use.
  8. In the AND Access with Okta FastPass is granted field, select If the user approves a prompt in Okta Verify or provides biometrics.
  9. In the AND Re-authentication frequency field is, select Every sign-in attempt. That means the authenticator has to be verified every time the user accesses the app. If you select Re-authenticate after, the authenticator will re-authenticate if it hasn't been used within the given time frame. The re-authentication frequency timestamp indicates the start of the authorization period and does not change when the authorization is reused for another app. It changes when the authorization period expires and needs to be reauthorized.
  10. Click Save.
  11. Open the Applications tab.
  12. Search for the Bookmark for low assurance app, and then click Add app.

App sign-on policy for high assurance app

  1. In the Admin Console, go to Security > Authentication Policy.

  2. Click Add a policy.

  3. Enter a policy Name and Description.

  4. Click Save.

  5. On the Rules tab, click Add rule (for example, High assurance app rule).
  6. In the AND User's user type is field, select Any user type.
  7. In the AND User's group membership includes a field, select At least one of the following groups.
  8. Start typing the name of the group you created in the prerequisites and then select it.
  9. In the AND User is field, select Any user.
  10. In the AND Device State field, select Any.
  11. Use default values for AND Device Platform (Any platform) and theAND User's IP (AnyIP). Also, leave the AND The following custom expression is true field blank. You can use Expression Language to add a custom expression to an authentication policy.
  12. For the AND User must authenticate with field, select Any 2 factor types. The authentication policy presents the user with a list of their enrolled authenticators (including password), allowing them to pick the one they want to use.
  13. In the AND Access with Okta FastPass is granted field, select If the user approves a prompt in Okta Verify or provides biometrics.
  14. In the AND Re-authentication frequency field, choose Every sign-in attempt. That means the authenticator has to be verified every time the user accesses the app. If you select Re-authenticate after, the authenticator will re-authenticate if it hasn't been used within the given time frame. The re-authentication frequency timestamp indicates the start of the authorization period and does not change when the authorization is reused for another app. It changes when the authorization period expires and needs to be reauthorized.
  15. Click Save.
  16. Open the Applications tab.
  17. Search for the Bookmark for high assurance app, and then click Add app.

User sign-in experience

When a user attempts to launch an app governed by an authentication policy, their experience is determined by the assurance level of the policy. Assurance levels are determined by business needs; these are examples only.

Low assurance app

Launch the application from any device. You should see the prompt for one authentication method.

High assurance app

Launch the application from any device. You should see the prompts for two authentication methods consecutively.

Catch-all app

Launch the application from any device. You should only see the prompt for a password.

Switch between low and high assurance

  • Launch the low assurance app, then launch the high assurance app. You should see a request for additional authentication.
  • Launch the high assurance app, then launch the low assurance app. You should be able to open the low assurance app without additional authentication.

Turn on Okta FastPass

Optionally, turn on Okta FastPass so you can see the user experience.

  1. In the Admin Console, go to Security > Authenticators.
  2. In the Authenticators section, enable Okta FastPass using Okta Verify by selecting Actions > Edit.
  3. On the Okta Verify screen, in the Verification options section, select Okta Fast (All platforms).
  4. In the Okta FastPass section, click Show the "Sign in with Okta FastPass" button. This selection does three things:
    • It walks first-time users through installing Okta Verify and registering a device.
    • It allows an alternative if the user's configuration doesn't permit silent sign-on. For example, Mac users without a device management solution like Jamf Pro or amSafari SSO browser extension will not be able to sign in silently. Enabling the button allows these users a way to sign in.
    • It acts as a backup if Okta Verify doesn't load automatically.

After you've turned on Okta FastPass, you can see it in authentication policies under Available Authenticators.

Users can now log in to the higher assurance app with Okta FastPass only, assuming they have biometrics enabled.