Preset app sign-in policies
Okta provides preset app sign-in policies that you can apply to apps with standard sign-in requirements. Some preset policies require specific rule settings in your global session policy. Refer to the following tables for the configured rules in each policy.
Classic Migrated
If you upgraded from Classic Engine, your apps that used the default policy now use this policy.
|
Catch-all rule |
|
|---|---|
IF
conditions
|
Any |
THEN
Access is
|
Allowed |
AND
User must authenticate with
|
Any 1 factor type |
| Prompt for authentication | When an Okta global session doesn't exist |
Any two factors
This is the default policy for new orgs. When you add an app, it starts with this policy. You can't change the default to a different policy, but you can edit this policy as needed.
|
Catch-all rule |
|
|---|---|
IF
conditions
|
Any |
THEN
Access is
|
Allowed |
AND
User must authenticate with
|
Any 2 factor types |
| Prompt for authentication | After 12 hours |
Password only
This is a common use case that requires only a password for authentication.
|
Catch-all rule |
|
|---|---|
IF
conditions
|
Any |
THEN
Access is
|
Allowed |
AND
User must authenticate with
|
Password |
One factor access
This policy requires users to authenticate with email or SMS only.
|
Catch-all rule |
|
|---|---|
IF
conditions
|
Any |
THEN
Access is
|
Allowed |
AND
User must authenticate with
|
Any 1 factor type |
To use this policy, add a global session policy rule with the following settings:
-
ANDEstablish the user session with: Any factor used to meet the Authentication Policy requirements -
ANDMultifactor authentication (MFA) is: not required
Seamless access based on risk context
This policy requires users to authenticate with Okta FastPass.
|
Rule 1: Low Risk |
|
|---|---|
IF
conditions
|
Risk LOW |
THEN
Access is
|
Allowed |
AND
User must authenticate with
|
Any 1 factor type |
AND
Access with Okta FastPass is granted
|
Without the user approving a prompt in Okta Verify or providing biometrics |
|
Rule 2: Medium Risk |
|
|---|---|
IF
conditions
|
Risk MED |
THEN
Access is
|
Allowed |
AND
User must authenticate with
|
Any 1 factor type |
AND
Possession factor restraints are
|
Device bound (excludes phone and email) |
|
Rule 3: High Risk |
|
|---|---|
IF
conditions
|
Risk HIGH |
THEN
Access is
|
Allowed |
AND
User must authenticate with
|
Any 2 factor types |
AND
Possession factor restraints are
|
Device bound (excludes phone and email) |
|
Catch-all rule |
|
|---|---|
IF
conditions
|
Any |
THEN
Access is
|
Denied |
To use this policy, add a global session policy rule with the following settings:
-
ANDEstablish the user session with: Any factor used to meet the Authentication Policy requirements -
ANDMultifactor authentication (MFA) is: not required
Seamless access based on network context
This policy requires two factors if the user is off network.
|
Rule 1: In network |
|
|---|---|
IF
conditions
|
In zone LegacyIPZone |
THEN
Access is
|
Allowed |
AND
User must authenticate with
|
Any 1 factor type |
|
Rule 1: Off network |
|
|---|---|
IF
conditions
|
User not in zone LegacyIPZone |
THEN
Access is
|
Allowed |
AND
User must authenticate with
|
Any 2 factor types |
|
Catch-all rule |
|
|---|---|
IF
conditions
|
Any |
THEN
Access is
|
Denied |
To use this policy, complete the following settings:
- Configure the network zone and add your corporate / VPM IPs to the LegacyIPZone.
-
Add a global session policy rule with the following settings:
-
ANDEstablish the user session with: Any factor used to meet the Authentication Policy requirements -
ANDMultifactor authentication (MFA) is: not required
-
Related topics