Sign-on policies and rules

Sign-on policies are used to enforce assurance. Assurance refers to a level of confidence that the user signing in to an application is also the person who owns the account. This level is measured by the use of one or more authenticators and the characteristics of those authenticators. A user who can authenticate with both a knowledge factor and a possession factor has a higher assurance level than one who can authenticate with only one factor.

Identity Engine requires that the assurance specified in the Okta and app sign-on policies are satisfied before it allows the end user to access an app. This is a change from the traditional model of authentication, which evaluates one policy depending on whether the user signs in to the org or directly through the app.

To determine if a policy is applied to a particular user, Okta evaluates the conditions of the policy and its rules:

  • Policies contain groups of resources that require similar treatment, such as apps with the same security characteristics or user groups with the same account setup requirements.
  • Rules describe the conditions of policy behavior, such as requests from a geographical location or whether the user is on or off a trusted network. Every policy must have at least one rule before it is applied.

As a best practice, restrictive rules should be placed at the top of the Priority list. Beyond that, you can create combinations of conditions for multiple scenarios; there is no limit to the number of rules your policies can have.


Okta sign-on policies Okta sign-on policies supply sign-in context necessary for the user to advance to the next authentication step once they have been identified by Okta.
App sign-on policies App sign-on policies enforce end-user authentication in the context of the requested application. The user’s location and profile (also identified by the Okta sign-on policy) are verified against the app sign-on policy’s group membership and authentication criteria.
Create sign-on policies with Okta Applications Okta has several first-party applications that are available by default for each Okta instance.
Configure passwordless authentication Configure Okta and app sign-on policies to create a passwordless sign-in experience for your end users.