Sign-on policies and rules

Global session policies and authentication policies are used to enforce assurance. Assurance refers to a level of confidence that the user signing in to an application is also the person who owns the account. This level is measured by the use of one or more authenticators and the characteristics of those authenticators. A user who can authenticate with both a knowledge factor and a possession factor has a higher assurance level than one who can authenticate with only one factor.

Identity Engine requires that the assurance levels specified in the global session policies and authentication policies are satisfied before it allows the end user to access an app. This is a change from the traditional model of authentication, which evaluates one policy depending on whether the user signs in to the org or directly through the app.

To determine if a policy is applied to a particular user, Okta evaluates the conditions of the policy and its rules:

  • Policies contain groups of resources that require similar treatment, such as apps with the same security characteristics or user groups with the same account setup requirements.
  • Rules describe the conditions of policy behavior, such as requests from a geographical location or whether the user is on or off a trusted network. Every policy must have at least one rule before it is applied.

As a best practice, restrictive rules should be placed at the top of the Priority list. Beyond that, you can create combinations of conditions for multiple scenarios; there is no limit to the number of rules your policies can have.


Global session policies Global session policies supply sign-in context necessary for the user to advance to the next authentication step once they have been identified by Okta.
Authentication policies Authentication policies enforce end-user authentication in the context of the requested application. The user’s location and profile (also identified by the global session policy) are verified against the authentication policy’s group membership and authentication criteria.
Modify authentication policies for first-party apps Okta has several first-party applications that are available by default for each Okta instance.

Set up passwordless sign-in experience

Configure global session policies and authentication policies to create a passwordless sign-in experience for your end users.