The Okta Identity Engine (OIE) allows administrators to create and manage policies at the application level. While authentication policies (formerly called App Sign-on Policies) give admins powerful capabilities to make application access decisions using user, device, and other contextual information, managing these policies across hundreds of applications can become challenging and error-prone.

To solve challenges with creating, editing, and maintaining authentication policies at scale, OIE now allows admins to manage these policies using a centralized view. With this view, admins can create new policies and apply them to multiple apps. They can also evaluate what application access decisions are impacted by each policy, so they know the impact of the changes they are making.

In the OIE, each authentication policy can be shared with all the apps that need to be protected by the same conditions and assurance requirements. When the organization is upgraded to the OIE, duplicate policies will be automatically merged to make it easier to manage policies at scale.

• Okta Identity Engine (OIE)
• Authentication Policy

Navigation change:

• In Classic Engine, navigate to each App’s Sign-on Policy in Application name > Sign On (tab). 
• In OIE, the Authentication policies are in Security > Authentication Policies.

Managing authentication policies

Viewing policies

1. To view all authentication policies, go to Security > Authentication Policies.

On this page, you can search for a policy, view an overview of the apps assigned to that policy, and make changes to these assignments.

2. It is also possible to view an individual policy that is assigned to an application from the Sign On tab for the specific application:

Creating and sharing a policy across multiple applications

To create a new authentication policy:

1. Go to Security > Authentication Policies.
2. Click Add a policy.

Updating authentication policies

1. Every new policy created begins with a default Catch-all rule. After creating and naming this new policy, additional rules can be added, prioritizing them over the default.

• • It is also possible to view or update the set of apps assigned to this policy:

2. Finally, the policy assigned to an application can be updated directly from the application's Sign On tab:

API changes

Start sharing policies across multiple apps, and be aware of the following key APIs. NOTE: These APIs are not new. They are extensions to the existing Policy APIs that were released with Okta Identity Engine.

1. Create a new policy.
   POST to /api/v1/policies with the following JSON object:

{ "type": "ACCESS_POLICY", "status": "ACTIVE", "name": "API Created Access Policy", "description": "This policy was created using Okta's APIs."}

2. Assign an application to the newly created policy.
   PUT to /api/v1/apps/{appId}/policies/{policyId}.

Just the application ID and the policy ID are needed. No HTTP body is required for the PUT.

3. Check if the application assignment was successful.
   GET on /api/v1/apps/{appId}.

The returned JSON body will contain information on the policy associated with the app:

"accessPolicy": {"href": "https://orgid.oktapreview.com/api/v1/policies/rst2i3xsmgx0Azz0a1d7"}
 

Frequently asked questions

1. How many policies can I create within an Okta org?

Up to 5,000 policies can be created in an Okta org. However, it is not possible to browse more than 100 policies in the authentication policies list. A policy can be searched for by name, or the policy can be edited using Okta’s APIs.

2. How many applications can I assign to a single policy? 

There is no limit to the number of applications that can be assigned to a single policy.

3. What will happen to my existing application policies when this feature is made available?

If already utilizing the Okta Identity Engine, there should be no impact to existing policies when the capability to share policies across applications becomes available. Each of the policies will appear as assigned to a single app, which can then be selectively consolidated into a single policy applied to multiple apps over time.

If running on Okta Classic Engine and are upgrading to Okta Identity Engine, Okta will attempt to consolidate identical app sign-on policies into one authentication policy. The consolidated authentication policy will then be assigned to the appropriate apps. Consolidated policies will appear on the Authentication Policies page with a “[Merged]” prefix (for example, “[Merged] App1 and App2”).

4. What happened to the Okta Sign-on Policy?

The Okta Sign-on Policy (previously accessible at Security > Okta Sign-on Policy) has been renamed to Global Session Policy (accessible at Security > Global Session Policy). This name change clarifies the usage of this policy to establish an Identity Provider (IdP) - wide session when one does not exist. There are no additional changes to what is already described in the Global session policies.

5. Why are certain policies not shareable?

While authentication policies can be shared across almost any OIDC or Okta Integration Network (OIN) app, policies for the Okta Admin Console, Office 365, and a few others cannot be shared with other apps. However, it is possible to continue utilizing the full power of Okta Identity Engine and its capabilities for these apps. Also, when editing some policies (for example, RADIUS apps), Okta Classic experiences will still be observed as these policies have not been optimized for Okta Identity Engine.

Related References

• Summary of all Identity Engine navigation changes