Enforce Post auth session

Post auth session evaluates the authentication and global session policies to identify changes in session context after users authenticate to Okta.

When you enforce Post auth session, users may be asked to authenticate more often. This may occur when Okta detects a violation, or if the user doesn’t meet the requirements of the global session or authentication policy when they sign in to Okta or an app. This is part of the protective function of this feature. Okta AI learns more about your users’ behavior over time, which may result in fewer requests to reauthenticate. If you see a consistently higher-than-normal number of authentication requests, contact Okta Support.

Before you begin

If you want to launch a Workflow when Okta detects policy violations and changes to users' sessions, create a delegated Workflow before you enforce Post auth session. Only delegated Workflows are supported. See Workflows for Identity Threat Protection.

Configure Post auth session

  1. In the Admin Console, go to SecurityAuthentication Policies.

  2. Click the Post auth session tab.
  3. Click Edit.
  4. Click the Enforce policy toggle to activate this feature. When you activate this feature, the Enforced status tag appears at the top of the page.
  5. Configure the monitoring conditions. These conditions specify when the feature is enforced.
    ConditionDescription
    Groups impactedSelect an option to specify the user groups to monitor:
    • All groups: Monitor the session context of any group in your org.
    • The following groups: Specify which groups to include. Start typing the name of the group that you want. Okta presents results that match what you enter. Click a group name to select it. Repeat this step to add more groups.
    Active user sessionsSpecify how Okta responds when it detects changes in the session context:
    • Configure an action if a policy violation is detected:
      • Logout: Configure logout options if a policy violation is detected. The Apps impacted by action section appears.
      • Run a Workflow: Run a delegated Workflow if Okta detects a policy violation. The Workflow triggered by action section appears.

    The Enforced with action status tag appears at the top of the page when you select either of these options.

    Workflow triggered by action

    This option appears when you select Run a Workflow for Active user sessions. Click to select an existing delegated Workflow. Enter the name of the Workflow that you want, and then click the Workflow name to select it.

  1. Click Save.

Status indicator

The status indicator appears on the Post auth session page and under the dashboard widget titles. It changes depending on how you’ve configured Post auth session:

  • Monitoring: This status indicates that Okta is monitoring your org for violations, populating the dashboard widgets, and recording events to the System Log. You haven’t configured a response. This indicator only appears in gray.
  • Enforced: This status indicates that Okta is monitoring your org for access violations, populating the dashboard widgets, and recording events to the System Log. You haven’t configured a response. In addition, your policies are enforced, and users may be required to re-authenticate if Post auth session detects an issue. This indicator only appears in green.
  • Enforced with action: This status indicates that Okta is monitoring your org for access violations, populating the dashboard widgets, and recording events in the System Log. You’ve configured Post auth session to log users out of Okta or logout-enabled apps, or to launch a Workflow in response.

Related topics

Identity Threat Protection with Okta AI

Post auth session violations widget

Session Violation Report