Global session policy evaluation

To determine if a policy is applied to a particular user, Okta evaluates the conditions of the policy and its rules.

• Policies contain groups of resources that require similar treatment, such as apps with the same security characteristics or user groups with the same account setup requirements.
• Rules describe the conditions of policy behavior, like requests from a geographical location or whether the user is on or off a trusted network. Every policy has at least one rule.

As a best practice, restrictive rules should be placed at the top of the Priority list. Beyond that, you can create combinations of conditions for multiple scenarios. There isn’t a limit to the number of rules your policies can have.

For example, if you create a policy that you assign to the group "Admins," you can create conditions relevant to the needs of administrators. A rule applied to the policy might be one that allows for a self-service unlock only under certain conditions. One condition might be whether a particular admin is off or on your company network.

System Log events

The following System Log events are available to assist with the identification and resolution of authentication issues:

policy.evaluate_sign_on

• Returns user authentication prompt verification success or failure and provides authenticator enrollment information including the authenticator type and specific authenticator instance used.
• This event is activated when a user enters a code or responds to a push notification. It's not activated when a code or push notification is sent. See Multifactor authentication.

user.authentication.auth_via_mfa

• Returns global session policy or authentication policy evaluation information including the application being accessed and the policy rule that was matched. Sign-on policy evaluation may occur multiple times during an authentication sequence.
• This event can have Allow, Deny, and Challenge values. Challenge indicates that additional user authentication was required.

user.session.start

• Returns the status of a user's first authenticator verification attempt. If a user enters an incorrect authenticator, VERIFICATION_ERROR is returned.

See System Log more information.

Notes

• The global session policy controls how long an overall session is valid, but the authentication policy controls re-authentication frequency.

• An end user’s session expires according to the Maximum Okta global session idle time setting in the global session policy. At this point, end users must re-authenticate according to the authentication policy rules, regardless of whether they selected the Keep me signed in option when signing in.

Related topics

• Create a global session policy
• Add a global session policy rule