Manage app sign-in policy branches

Early Access release. See Enable self-service features.

You can create and monitor a branch of your app sign-in policy, allowing you to make changes to your app sign-in policies with confidence. By creating branches of your policies, you can draft policy changes, test them against real traffic without affecting users, and go live once you're sure the changes are right for your org. If needed, you can easily roll back to previous configurations.

Understand branches

Live branch
The set of policy rules currently being executed and enforced for end-user access.
Branch
A copy of the live policy that functions as a draft. Rules in a branch aren't enforced on users until the branch is promoted to live. They're evaluated, and the outcomes are logged when monitoring is enabled.
Branch history
A set of policy rules that were previously enforced and are now archived. Okta keeps a maximum of five branches in the branch history.
Monitoring
Allows the branch policy rules to be evaluated against active user traffic. Okta logs the results in the System Log, but doesn't enforce the rules, allowing you to view the impact of the changes before you deploy them.

Create a branch of an app sign-in policy

Create a branch of your app sign-in policy to begin editing a policy without impacting your production environment.

  1. In the Admin Console, go to Security > Authentication Policies .

  2. Click App sign-in.

  3. Select the policy that you want to create a branch of.

  4. On the policy page, click Create branch.

  5. In the Branch name field, enter a name for the branch.

  6. Click Create branch.

View your branches

Once you've created a branch of your policy, use the branch dropdown on the policy page to toggle between the Branch and Live branch views.

In the Branch view, you can add new rules, delete rules, and modify existing rules. Your changes remain isolated from the Live branch until you choose to promote them. For information about modifying your policy, see Add an app sign-in policy rule.

Monitor a branch

Enable monitoring on your branch to simulate how the policy rules in your branch would behave with real user traffic. This generates system logs for analysis without blocking or challenging users.

To enable monitoring on your branch, follow these steps:

  1. In the Admin Console, go to Security > Authentication Policies .

  2. Click App sign-in.

  3. Select a policy that has a branch.

  4. On the policy page, open the Branch view from the branch dropdown menu.

  5. Click Enable monitoring.

  6. Toggle on Monitor branch.

  7. From the Monitoring duration dropdown, select a duration. You can choose between 7, 14, 21, or 28 days.

  8. Click Enable.

You can monitor a branch for a maximum of 28 days. Monitoring automatically expires at the end of the selected duration. If you reach this limit and want to continue monitoring the branch, you need to re-enable monitoring. You can stop monitoring manually at any time by clicking Disable monitoring.

System Log events

When monitoring is enabled, Okta adds a target to policy.evaluate_sign_on events in the System Log with an AlternateId of Authentication policy branch.

Policy Insights Dashboard

When monitoring is enabled, you can view data from your branch on the Policy Insights Dashboard. For more information, see Use the Policy Insights Dashboard.

Promote a branch

When you're satisfied with your changes and monitoring results, you can promote your branch to make it the live policy.

  1. Open the Branch tab of your policy.

  2. Click Promote branch.

  3. Review the confirmation dialog.

  4. Optional. Enter a comment.

  5. Click Promote branch.

The branch immediately becomes the live branch. The previous live configuration is automatically saved to the branch's history.

Delete a branch

If you decide not to use your branch, you can delete it.

  1. Navigate to the Branch tab of your policy.

  2. Click Delete branch.

  3. Confirm the deletion in the dialog.

View the branch history

  1. Navigate to the policy.

  2. Click the Actions menu and select View branch history.

  3. View the rules and settings that were previously enforced. The following information is displayed:

    • The branch (policy) name as set by the admin

    • The date when this branch was last the live branch

    • Comment populated with notes from promoting the branch

Restore a branch

From the View branch history screen, select Restore this branch. Enter a comment and click Restore branch. The current live branch is immediately overridden with a copy of this historical branch. This effectively rolls back your configuration, and the current live branch is added to the branch history.

Related topics

Use the Policy Insights Dashboard

Create an app sign-in policy

Add an app sign-in policy rule