Global session policy evaluation
To determine if a policy is applied to a particular user, Okta evaluates the conditions of the policy and its rules.
- Policies contain groups of resources that require similar treatment, such as apps with the same security characteristics or user groups with the same account setup requirements.
- Rules describe the conditions of policy behavior, like requests from a geographical location or whether the user is on or off a trusted network. Every policy has at least one rule.
As a best practice, restrictive rules should be placed at the top of the Priority list. Beyond that, you can create combinations of conditions for multiple scenarios. There isn’t a limit to the number of rules your policies can have.
For example, if you create a policy that you assign to the group "Admins," you can create conditions relevant to the needs of administrators. A rule applied to the policy might be one that allows for a self-service unlock only under certain conditions. One condition might be whether a particular admin is off or on your company network.
System Log events
The following System Log events are available to assist with the identification and resolution of authentication issues:
- Returns user authentication prompt verification success or failure and provides authenticator enrollment information including the authenticator type and specific authenticator instance used.
- This event is activated when a user enters a code or responds to a push notification. It's not activated when a code or push notification is sent. See Multifactor authentication.
- Returns global session policy or authentication policy evaluation information including the application being accessed and the policy rule that was matched. Sign-on policy evaluation may occur multiple times during an authentication sequence.
- This event can have Allow, Deny, and Challenge values. Challenge indicates that additional user authentication was required.
- Returns the status of a user's first authenticator verification attempt. If a user enters an incorrect authenticator,
See System Log more information.
The global session policy controls how long an overall session is valid, but the authentication policy controls re-authentication frequency.
An end user’s session expires according to the Maximum Okta global session idle time setting in the global session policy. At this point, end users must re-authenticate according to the authentication policy rules, regardless of whether they selected the Keep me signed in option when signing in.