Global Authentication Sign On Policies vs. App level Sign On Policies Skip to main content
https://support.okta.com/help/answers?id=9062a000000xa6lqas&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Jon NaglieriJon Naglieri 

Global Authentication Sign On Policies vs. App level Sign On Policies

I have a question on Global Authentication Sign On Policies (with MFA) vs. App level Sign On Policies. 
  • With Global Sign On policies, it appears the MFA can be prompted per Device (which means certain groups of users can have MFA enforced only per device, by storage of the DeviceID on the device as either a cookie or HTML5 local storage).  I assume the deviceID is natively handled by the widget when the client is using the widget?  Do we have to perform special handling in the widget events to stored the DeviceID in the user’s browser?
  • With App level Sign On policies, it appears that the “per device” option is not available, and you can prompt the user on a specified frequency, only.  I noticed there is an “Only Once” option, but I assume that means only once from any device?
  • We can configure app-level MFA by itself or both global MFA and app-level MFA together. If we configure both, users are asked for the additional authentication factors when they sign into Okta and again when they sign into apps that we have configured for app-level MFA.
I wanted to confirm that if we want MFA triggered “contextually” by device, that the only option we have OOTB is to use the global sign on policy.  In this case, I’m not sure we can achieve “step-up” authentication between apps, but we can get as close to “per device” MFA triggers. 
 
Eugen DumitruEugen Dumitru (Okta, Inc.)
Hi Jon,
The deviceID should be handled by the Widget since no cookie was set during my test.
For handling devices you could do it by using the session API: https://developer.okta.com/docs/api/resources/sessions.html
You are correct App level Sign-on policy doesn't have Per Device prompt and to use global sign-on policies.

Thank you,
Eugen Dumitru