Global session policy evaluation
To determine if a policy applies to a particular user, Okta evaluates the conditions of the policy and its rules.
- Policies contain groups of resources that require similar treatment, like apps with the same security characteristics or user groups with the same account setup requirements.
- Rules describe the conditions of policy behavior, like requests from a geographical location or whether the user is on or off a trusted network. Every policy contains at least one rule.
You can create combinations of conditions for different scenarios. As a best practice, place restrictive rules at the top of the Priority list. There's no limit to the number of rules your policies can have.
If you create a policy and assign it to the group "Admins," you can customize conditions relevant to the needs of administrators. For example, you might allow self-service unlock only under certain conditions, such as whether the admin signs in from inside or outside your company network.
System Log events
The following System Log events are available to help identify and resolve authentication issues:
policy.evaluate_sign_on
- This event returns the status of the user’s authentication attempt (success or failure). It provides authenticator enrollment information, including the authenticator type and instance that were used.
- This event is activated when a user enters a code or responds to a push notification. It's not activated when a code or push notification is sent. See Multifactor authentication.
user.authentication.auth_via_mfa
- This event returns global session policy or authentication policy evaluation information, like the application that the user accessed and the policy rule that matched. The sign-on policy may be evaluated multiple times during an authentication sequence.
- This event can have Allow, Deny, and Challenge values. Challenge indicates that additional user authentication was required.
user.session.start
- This event returns the status of a user's first authenticator verification attempt associated with establishing an Identity Provider session. If a user enters an incorrect authenticator,
VERIFICATION_ERRORis returned. - This event is triggered after the primary authentication challenge is provided. It logs the user ID, session start time, and the authentication method used. It doesn't indicate that an access token was granted.
See System Log more information.
Notes
- The global session policy controls how long an overall session is valid, but the authentication policy controls re-authentication frequency.
- An end user’s session expires according to the Maximum Okta global session idle time setting in the global session policy. After that, users must reauthenticate according to the authentication policy rules, regardless of whether they selected the Keep me signed in option when signing in.