Global session policy evaluation

To determine if a policy is applied to a particular user, Okta evaluates the conditions of the policy and its rules.

  • Policies contain groups of resources that require similar treatment, such as apps with the same security characteristics or user groups with the same account setup requirements.
  • Rules describe the conditions of policy behavior, like requests from a geographical location or whether the user is on or off a trusted network. Every policy has at least one rule.

As a best practice, restrictive rules should be placed at the top of the Priority list. Beyond that, you can create combinations of conditions for multiple scenarios. There isn’t a limit to the number of rules your policies can have.

For example, if you create a policy that you assign to the group "Admins," you can create conditions relevant to the needs of administrators. A rule applied to the policy might be one that allows for a self-service unlock only under certain conditions. One condition might be whether a particular admin is off or on your company network.

System Log events

The following System Log events are available to assist with the identification and resolution of authentication issues:


  • Returns user authentication prompt verification success or failure and provides authenticator enrollment information including the authenticator type and specific authenticator instance used.
  • This event is activated when a user enters a code or responds to a push notification. It's not activated when a code or push notification is sent. See Multifactor authentication.


  • Returns global session policy or authentication policy evaluation information including the application being accessed and the policy rule that was matched. Sign-on policy evaluation may occur multiple times during an authentication sequence.
  • This event can have Allow, Deny, and Challenge values. Challenge indicates that additional user authentication was required.


  • Returns the status of a user's first authenticator verification attempt. If a user enters an incorrect authenticator, VERIFICATION_ERROR is returned.

See System Log more information.


  • The global session policy controls how long an overall session is valid, but the authentication policy controls re-authentication frequency.

  • An end user’s session expires according to the Maximum Okta global session idle time setting in the global session policy. At this point, end users must re-authenticate according to the authentication policy rules, regardless of whether they selected the Keep me signed in option when signing in.

Related topics