Enforce Continuous Access

Early Access release

Continuous Access evaluates the authentication and global session policies to identify changes in session context after users authenticate to Okta.

When you enforce Continuous Access, users may be asked to authenticate more often. This may occur when Okta detects a violation, or if the user doesn’t meet the requirements of the global session or authentication policy when they sign in to Okta or an app. This is part of the protective function of this feature. Okta AI learns more about your users’ behavior over time, which may result in fewer requests to reauthenticate. If you see a consistently higher-than-normal number of authentication requests, contact Okta Support.

Before you begin

If you want to launch a Workflow when Okta detects policy violations and changes to users' sessions, create a delegated Workflow before you enforce Continuous Access. Only delegated Workflows are supported. See Workflows for Identity Threat Protection with Okta AI.

Configure Continuous Access

  1. In the Admin Console, go to SecurityAuthentication Policies.

  2. Click the Continuous Access tab.
  3. Click Edit.
  4. Click the Enforce policy toggle to activate this feature. When you activate this feature, the Enforced status tag appears at the top of the page.
  5. Configure the monitoring conditions. These conditions specify when the feature is enforced.
    ConditionDescription
    Groups impactedSelect an option to specify the user groups to monitor:
    • All groups: Monitor the session context of any group in your org.
    • The following groups: Specify which groups to include. Start entering text that matches the name of the group you want. Okta presents results that match what you entered. Click a group name to select it. Repeat this step to add more groups.
    Active user sessionsSpecify how Okta responds when it detects changes in the session context:
    • Configure an action if a policy violation is detected: Select an option:
      • Logout: Configure logout options if a policy violation is detected. The Apps impacted by action section appears.
      • Run a Workflow: Run a delegated Workflow if Okta detects a policy violation. The Workflow triggered by action section appears.

    The Enforced with action status tag appears at the top of the page when you select either of these options.

    Apps impacted by actionThese options appear when you select the Logout option for Active user sessions. Select one of these options to configure the apps that are impacted when Okta detects a policy violation:
    • All logout-enabled apps: Sign the user out of all apps that support Universal Logout.
    • The following apps: Sign the user out of apps that you specify. Click in the dropdown. Start entering text that matches the name of the app you want. Okta presents results that match what you entered. Click the app name to select it. Repeat this step to add more apps.
    • No apps; user is only logged out of Okta: Sign the user out of Okta but not any of their apps.

    Workflow triggered by action

    This option appears when you select Run a Workflow for Active user sessions. Click to select an existing delegated Workflow. Enter the name of the Workflow that you want and click the Workflow name to select it.

  1. Click Save.

Status indicator

The status indicator appears on the Continuous Access page and under the dashboard widget titles. It changes depending on how you’ve configured Continuous Access:

  • Monitoring: This status indicates that Okta is monitoring your org for violations, populating the dashboard widgets, and recording events to the System Log. You haven’t configured a response. This indicator only appears in gray.
  • Enforced: This status indicates that Okta is monitoring your org for access violations, populating the dashboard widgets, and recording events to the System Log. You haven’t configured a response. In addition, your policies are enforced, and users may be required to re-authenticate if Continuous Access detects an issue. This indicator only appears in green.
  • Enforced with action: This status indicates that Okta is monitoring your org for access violations, populating the dashboard widgets, and recording events in the System Log. You’ve configured Continuous Access to log users out of Okta or logout-enabled apps, or to launch a Workflow in response.

Related topics

Identity Threat Protection with Okta AI

Continuous Access widget

Continuous Access violation report