An error occurs when attempting to use a blocklist network zone in an Okta Classic application sign-on policy rule. This issue happens because blocklist zones block traffic at the network level before policy evaluation, making inclusion in a sign-on rule redundant. Resolve this by selecting a network zone not configured as a blocklist when creating application sign-on policy rules. When configuring the policy, the following error message appears:
Please review the form to correct the following error(s):
You cannot use the blacklist zones: <NETWORK_ZONE_ID> in policy rules.
- Okta Classic Engine
- Blocklist Network Zones
- Application Sign-On Policy
Why does the blocklist network zone cause an error?
Network zones that use the Block access from IPs matching conditions listed in this zone option always block traffic at the network and Internet Protocol (IP) level before the sign-on policy evaluation occurs. As a result, referring to a blocking zone in a sign-on policy rule is redundant.
How is the blocklist network zone error resolved?
Review the following instructions to resolve the policy rule error:
-
Select a network zone that is not a blocklist network zone when configuring application sign-on policy rules.
