Okta policies and rules

Okta uses policies and rules that let you customize the requirements for various actions. Okta includes these policies:

• Global session policy: These policies supply the sign-in context necessary for the user to advance to the next authentication step after they've been identified by Okta.
• App sign-in policy: These policies enforce end-user authentication in the context of the requested app. The user's location and profile (also identified by the global session policy) are verified against the app sign-in policy's group membership and authentication criteria.
• Okta account management policy: This policy defines authentication requirements when users enroll in authenticators, recover their passwords, and unlock their accounts.
• Session protection policy: This policy lets you configure options for monitoring sessions for changes in context that might indicate that the session is at risk of hijacking or other situations.

You can also use global session and app sign-in policies for specific purposes:

• App sign-in policies for first-party apps: Okta has several first-party apps that are available by default for each Okta instance.
• Passwordless experiences: Use a combination of global session and app sign-in policies to let users sign in without using a password.

All of these policies enforce assurance, which is a level of confidence that the user signing in to an application is also the person who owns the account. This level is measured by the use of one or more authenticators and the characteristics of those authenticators. A user who can authenticate with both a knowledge factor and a possession factor has a higher assurance level than one who can authenticate with only one factor.

Identity Engine requires that the assurance levels specified in the global session policies and app sign-in policies are satisfied before it allows the end user to access an app. This is a change from the traditional model of authentication, which evaluates one policy depending on whether the user signs in to the org or directly through the app.

To determine if a policy is applied to a particular user, Okta evaluates the conditions of the policy and its rules:

• Policies contain groups of resources that require similar treatment, such as apps with the same security characteristics or user groups with the same account setup requirements.
• Rules describe the conditions of policy behavior, such as requests from a geographical location or whether the user is on or off a trusted network. Every policy must have at least one rule before it's applied.

As a best practice, place restrictive rules at the top of the Priority list. Also, you can create combinations of conditions for multiple scenarios. There is no limit to the number of rules your policies can have.

If the policy applicable to the user requires a certain authenticator and the user hasn't enrolled it, they're prompted to enroll the authenticator when trying to access the org or an app. When enrolling the new authenticator, the user must first verify with two-factor authentication (2FA) wherever available. The 2FA requirement applies irrespective of applicable policies.

Topics

• Global session policies
• App sign-in policies
• Okta account management policy
• Session protection with Identity Threat Protection
• Modify app sign-in policies for first-party apps
• Set up a passwordless sign-in experience