Configure bot protection for enforcement

Early Access release. See Enable self-service features.

Bot protection is disabled by default for orgs that use CAPTCHA, and in monitoring status for orgs that don't. Change the status and then configure your detection and enforcement settings to use the feature.

Before you begin

Bot protection is only supported for sign-in, sign-up, and self-service password recovery flows through the Sign-In Widget. It requires Sign-In Widget version 7.40.3 or later.

To protect self-service password recovery flows, your global session policy must require a password to establish the session. Policies that require other factors aren't supported.

If your org uses a web application firewall (WAF) like Cloudflare, Zscaler, or Fastly, you must configure it to pass the original client's IP address.

  1. Configure X-Forwarded-For (XFF) HTTP headers on the WAF, so that the original client's IP address is appended to the XFF header in the HTTP request. This creates a chain of IP addresses, with the first IP being the real client. Okta can then see the full IP chain and use the client's IP in its bot detection model.

  2. Configure WAF's IPs as trusted proxies in Okta. This allows Okta to ignore the WAF's IP. Instead, Okta looks at the first IP address in the XFF header to determine the true source of the request.

Start this task

  1. In the Admin Console, go to Security Identity Threat Protection.

  2. Click the Detection and Response tab.

  3. Go to the Bot protection section.

  4. In the Status section, select Enforced.

  5. If you have CAPTCHA enabled, confirm that you understand that bot protection replaces your CAPTCHA integration.

  6. In the Detection settings, click Edit.

  7. Select a Detection threshold.

    • High: Events are logged only when there's a high chance of bot activity.

    • Medium and above: Events are logged when there's a moderate chance of bot activity.

    • Low and above: Events are logged when there's a small chance of bot activity.

    • Any: Events are always logged if there's any chance of bot activity.

  8. In the Protected flows menu, select the flows you want to protect.

  9. Leave the Enforcement settings set to Okta Challenge.

User experience

Changes in the user experience are minimal.

Bot protection starts when user credentials are submitted for authentication. Depending on the flow, that's when the user clicks Next, Sign up, or Change password. If bot protection is set to Monitoring, users don't notice any changes. If it's set to Enforced, users are presented with a brief "Verifying" message. Verified users continue to their dashboard, and requests that fail the verification are redirected to a 403 error page.

Related topics

Bot protection

Bot protection reporting