Global Session Policy evaluation
To determine if a policy is applied to a particular user, Okta evaluates the conditions of the policy and its rules.
- Policies contain groups of resources that require similar treatment, such as apps with the same security characteristics or user groups with the same account setup requirements.
- Rules describe the conditions of policy behavior, like requests from a geographical location or whether the user is on or off a trusted network. Every policy must have at least one rule before it is applied.
As a best practice, restrictive rules should be placed at the top of the Priority list. Beyond that, you can create combinations of conditions for multiple scenarios; there isn’t a limit to the number of rules your policies can have.
For example, if you create a policy that you assign to the group "Admins," you can create conditions relevant to the needs of administrators. A rule applied to the policy might be one that allows for a self-service unlock only under certain conditions. One condition might be whether a particular admin is off or on your company network.
System Log events
The following System Log events are available to assist with the identification and resolution of authentication issues:
- Returns user authentication prompt verification success or failure and provides authenticator enrollment information including the authenticator type and specific authenticator instance used.
- This event is activated when a user enters a code, or responds to a push notification and not when a code or push notification is sent. See Multifactor Authentication.
- Returns Global Session Policy or authentication policy evaluation information including the application being accessed and the policy rule that was matched. Sign-on policy evaluation may occur multiple times during an authentication sequence.
- This event can have Allow, Deny, and Challenge values. A Challenge value indicates that additional user authentication was required.
- Returns the status of a user's first authenticator verification attempt. If a user enters an incorrect authenticator,
See System Log more information.
The Global Session Policy controls how long an overall session is valid, but re-authentication frequency is controlled by authentication policy rules.
An end user’s session expires according to the Session expires after setting in the Global Session Policy. At this point, end users must re-authenticate according to the authentication policy rules, regardless of whether they selected the Keep me signed in option when signing in.