Add Sign On policies for applications Skip to main content
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Add Sign On policies for applications
Published: Jan 31, 2018   -   Updated: Jun 22, 2018




Add Sign On policies for applications

You can add an app-based sign-on policy to allow or restrict access to applications.

Note: Some options described in this topic are Early Access features which may not be available in your org. To enable them, contact Okta Support.

By default, all Client options in the App Sign On Rule dialog box are pre-selected to allow users of all client types and platforms to access the app. To configure more granular access to the app, selectively apply conditions as you create one or more prioritized rules based on:

  • Who users are and/or the groups to which they belong
  • Whether they are on or off network or within a defined network zone
  • The type of client running on their device (Office 365 apps only)
  • The platform of their mobile or desktop device
  • Whether or not their devices are Trusted
Blacklist and whitelist approaches to creating Sign On policy rules

Typical approaches to creating and prioritizing rules often employ whitelist and blacklist concepts:

  • In a whitelist approach, you might do the following:
    1. Create one or more permissive rules to support the scenarios that will allow access to the app, then assign those rules the highest priority.
    2. Create a Deny catch-all rule that will apply to users who don't match the permissive scenarios you created in Step 1. Assign the Deny catch-all rule the lowest priority, just above Okta's Default Rule. The Default Rule is applied to users who don't match any of the more restrictive rules that have higher priority.
  • In a blacklist approach, you create one or more restrictive rules designed to deny app access to — or increase the authentication requirements for (MFA, Device Trust) — everyone except certain users/groups connected to a specified network or network range from specified client(s) and platform(s). Users able to pass through the restrictive rule(s) are then subject to the Default policy, which is designed to allow access to everyone.



SignOn_full modal_nonO365

  1. From the Administrative Dashboard, go to the Applications tab.
  2. Click Applications and find the desired app.
  3. Click the Sign On tab.Screenshot
  4. AppSignOnPolicy

  5. Scroll down to the Sign On Policy section.
  6. Create a rule:
    1. Click Add Rule.
    2. Enter a name in the Rule Name field.
    3. Decide to whom the rule will apply by selecting an option under the People section.
      • Users assigned this app – Specify the users who are assigned this specific app.
      • The following groups and users – Assign the rule to groups or specific users who have been assigned the app.
    4. To exclude specific groups and users from the policy rule, select Exclude the following users and groups from this rule and then specify groups and users.
  7. Specify the location to which you want to apply the policy. Available options are Anywhere, In Zone, or Not in Zone.
  8. If you select In Zone, enter the name of a zone. You configure zone names in Security > Network. For details, see Network.

  9. In the Client section, choose the conditions that you want to trigger the action(s) you configure in the Access section. Note: The Client section is not available for all apps.


    Client Access Policies (CAP) allow you to add different policies for different client types including adding MFA. However, some protocols do not support MFA even if you have MFA configured at the Okta login. Legacy protocols like POP/IMAP do not redirect to Okta for login and do not support MFA at the application level.

    If you do not want to allow logins to Microsoft 365 from protocols that do not support MFA, you need to add a deny all rule and then layer allow rules above for the protocols that you do want to support.

    • (Microsoft Office 365 apps only) Under If the user's client is any of these, select the client type(s) that you want to trigger the action(s) you configure in the Access section (Web browser or Modern Auth client). For details, see Configuring Rules for Office 365 Client Access Policies.
    • Under And the user's platform is any of these, select the mobile and/or desktop platforms that you want to trigger the action(s) you configure in the Access section.
  10. In the Device Trust section, specify the trust status of the device that you want to trigger the action(s) you configure in the Access section.

    Note: The Trusted and Not Trusted options are only selectable if Device Trust is configured in Security > Device Trust. Okta Device Trust determines devices to be trusted based on the presence of a trust signal (MDM enrollment; certificate; support for Universal Links).

  11. In the Access section, choose the Actions that you want to enforce based on the conditions you specified in the Conditions section:
    1. In the setting When all the conditions above are met, sign on to this application is select either Allowed or Denied.
    2. (SAML apps only) Select Prompt for re-authentication and specify how frequently users are prompted to re-authenticate. Re-authentication is available for all SAML apps on an app-by-app basis.

      Note: Because SWA apps do not support re-authentication, you cannot change the sign-on method from SAML to SWA if re-authentication is selected.

    3. Select Prompt for factor if you want to require users to choose an MFA option, and then specify how frequently you want users to be prompted. The Multifactor Settings link takes you to the Multifactor Authentication page, where you can choose your factor(s).
  12. Click Save.

Prioritize rules

Set rule precedence by clicking the blue arrows to set the priority number. A rule with a priority value of 1 has first priority and takes precedence over all other rules.

Manage rules

  1. To edit a rule, click the pencil icon and select the Edit rule option.
  2. To disable a rule, click the pencil icon and select the disable rule option.
  3. To delete a rule, click the X icon.Screenshot
  4. SignonForApps5

User experience

When users are blocked from an app, they are shown the following message:


Related topics

Getting Started with Office 365 Client Access Policies

Configure Okta Device Trust for managed Windows computers

Configure Okta Device Trust for Microsoft Office 365 Exchange ActiveSync for iOS devices