Sign-in flows

The sequence of a sign-in flow depends on the authentication assurance requirements that you set in your policies. Okta Identity Engine requires that the authentication assurance specified in both the Global Session Policy and the authentication policies are satisfied before it allows the end user to access an app.

Sign-on policies supply the context necessary for the user to advance to the next step and specify the actions to take, such as allowing access, prompting for a challenge, or setting the time required before prompting for another challenge.

The Global Session Policy defines access globally, across all apps in your org. See Global session policies.

The Authentication policies enforce end user authentication only in the context of the requested application. See Authentication policies.

The user’s location and profile are verified using both policies' group membership and authentication criteria.

When an end user is allowed to sign in without a password, Okta attempts to optimize the sign-in experience. If the device is enrolled with Okta Verify and a biometric authenticator is enabled, the biometric authenticator is always the first factor used for user authentication.

If end users are required to sign in with a password, the password-first prompt is always displayed. This is true for any authentication policy configuration where the password authenticator is defined along with other authenticators.

Password / IDP

If any Global Session Policy rule has the primary factor set to Password / IDP, end users see the password-first Sign-In Widget.

  1. End users enter their full app Username, including the domain, and then their password in the Password field.

    The Keep me signed in checkbox retains their identifier as well as authenticator verification information on their device for the amount of time designated by the policy rule. This replaces the Remember me option in Classic Engine orgs.

  2. End users click Sign in to initiate the authentication process.

  3. On the security method page, end users pick one of the primary authenticator options allowed by the combined global session and authentication policies.

  1. After clicking Select to choose an authenticator, end users move to the verification step where they supply the required authenticator and then click Verify.

Password / IDP / any factor allowed by app sign on rules

If any Global Session Policy rule has the primary factor set to Password / IDP / any factor allowed by app sign on rules, end users see the identifier-first Sign-In Widget as the first screen during their access flow.

  1. End users enter their full app Username, including the domain, and click Next.

    The Keep me signed in checkbox retains their identifier as well as authenticator verification information on their device for the amount of time designated by the policy rule. This replaces the Remember me option in Classic Engine orgs.

    If the username is unknown to the org, the Sign-In Widget displays a warning that there is no account with that username and returns an error that the user can't sign in.

  2. On the security method page, end users pick one of the primary authenticator options allowed by the combined global session and authentication policies.

  1. After clicking Select to choose an authenticator, end users move to the verification step where they supply the required authenticator and then click Verify.

Related topics

Global session policies

Authentication policies

End user sign-in process

New sign-in experience