Sign-on policies and rules

Global session policies and authentication policies are used to enforce assurance. Assurance refers to a level of confidence that the user signing in to an application is also the person who owns the account. This level is measured by the use of one or more authenticators and the characteristics of those authenticators. A user who can authenticate with both a knowledge factor and a possession factor has a higher assurance level than one who can authenticate with only one factor.

Identity Engine requires that the assurance levels specified in the global session policies and authentication policies are satisfied before it allows the end user to access an app. This is a change from the traditional model of authentication, which evaluates one policy depending on whether the user signs in to the org or directly through the app.

To determine if a policy is applied to a particular user, Okta evaluates the conditions of the policy and its rules:

  • Policies contain groups of resources that require similar treatment, such as apps with the same security characteristics or user groups with the same account setup requirements.
  • Rules describe the conditions of policy behavior, such as requests from a geographical location or whether the user is on or off a trusted network. Every policy must have at least one rule before it's applied.

As a best practice, place restrictive rules at the top of the Priority list. Also, you can create combinations of conditions for multiple scenarios. There is no limit to the number of rules your policies can have.

If the policy applicable to the user requires a certain authenticator and the user hasn’t enrolled it, they’re prompted to enroll the authenticator when trying to access the org or an app. When enrolling the new authenticator, the user must first verify with two-factor authentication (2FA) wherever available. The 2FA requirement applies irrespective of applicable policies.


Global session policies Global session policies supply the sign-in context necessary for the user to advance to the next authentication step after they have been identified by Okta.
Authentication policies Authentication policies enforce end-user authentication in the context of the requested application. The user’s location and profile (also identified by the global session policy) are verified against the authentication policy’s group membership and authentication criteria.
Modify authentication policies for first-party apps Okta has several first-party applications that are available by default for each Okta instance.

Set up passwordless sign-in experience

Configure global session policies and authentication policies to create a passwordless sign-in experience for your end users.