App sign-on policies

Learn how app sign-on policies change after the upgrade.

Change summary App sign-on policies are now called authentication policies. Every app has one, but Identity Engine lets you share one policy across multiple apps.
Admin experience All authentication policies are visible in the same location: Security > Authentication policies. This page allows you to maintain policies at scale and evaluate how each policy impacts application access.
  • You can create a unique policy for each app (instead of only adding rules to an app's default policy).

  • You can use Okta preset policies for apps with standard sign-on requirements.

  • You can share one policy among many apps.
  • You can still view an app's policy at Applications > Applications > Sign-On, but you can't make any changes.

Configuration settings for authentication policies are the same, with one exception: the Password or IDP option appears if your org has at least one external Identity Provider configured. Otherwise, Password appears in the interface.

User experience Changes to the user experience depend on how you configure new conditions in the policy.
  • Evaluation of authentication policies is different for OIDC apps. In Classic Engine, an OIDC app sign-on policy is evaluated immediately when a user selects the app. In Identity Engine, you can configure OIDC apps with the Redirect to app to initiate login (OIDC compliant) setting. Users who select these apps go first to the initiate login URI. Then, when the app issues an authorize request, the authentication policy is evaluated. MFA prompts appear when the users return to Okta.

  • In Classic Engine, if your app sign-on policy is configured for two authentication factors (for example, Password / Any IdP + Any authenticator), Okta Verify users must provide two factors to satisfy the condition (for example, enter a password and accept an Okta Verify Push notification). In Identity Engine, users satisfy the two-factor condition by approving only an Okta Verify notification and providing biometrics.

Related topics Authentication policies

Create OIDC app integrations

flows