Add a network zone to Global Session Policies
You can add a network zone to Global Session Policies to manage network access.
- In the Admin Console, go to .
- Select the policy that you want to add rules to.
- Click Add Rule.
- In the Rule name field, add a descriptive name for the rule you want to create.
- Optional. In the Exclude users field, indicate which individual users of a group you want to exclude from the rule.
-
Indicate your conditions.
- If a user's IP is: Use the dropdown menu to assign location parameters. You can specify whether Anywhere, In zone, or Not in zone prompt authentication.
- Manage configuration for Network: Click the Manage Configurations for Network link to access your gateway settings that enable your choice of access. For more on gateway settings, see IP zones.
- And Authenticates via: Use this dropdown menu to specify the required means of authentication.
- And Risk is: Select a risk level of Low, Medium, or High to change the level of risk that is needed to match the rule. See Risk scoring.
- And Behavior is: Enter a behavior type or a named behavior see About behavior types.
- Then Access is...: Based on the authentication form of the previous dropdown menu, use this one to establish whether the condition allows or denies access.
- And primary factor is: Select Password / IDP or Password / IDP / any factor allowed by app sign on rules. To set up passwordless authentication, see Set up passwordless sign-in experience.
- And secondary factor: Indicate whether a secondary factor is required. Radio buttons appear that determine whether the prompt is triggered by a device, at every sign-on, or by a session time that you specify. Choosing Every Time doesn't allow end users to control MFA prompts.
- Manage configuration for Multifactor Authentication: Click the Manage Configurations for Multifactor Authentication link for quick access to the Authentication page and the Authenticators tab. See Authenticators and MFA Enrollment for details about each of the authentication options.
- Factor Lifetime: If you require a secondary factor, use this dropdown to specify how much time must elapse before the user is challenged again for the secondary factor. The default lifetime is 15 minutes, and the maximum period is six months.
- In the Maximum Okta global session idle time field, specify the maximum idle time before an authentication prompt is triggered. Five minutes before an end user's session expires, their dashboard displays a countdown timer and an option to extend their session. The default session lifetime is 2 hours, and the maximum allowed time is 90 days.
When you edit a network zone, wait approximately 60 seconds for the change to propagate across all servers and take effect.