Admins can leverage network zones and policies to restrict access to Okta to a specific IP range (for example, corporate network, VPN, etc.).
NOTE: This will only block a session from being created. The login pages will still be accessible, so denial-of-service attacks are still a risk with this configuration. In order to completely limit access to a specific list of IPs, please contact Okta Support.
- Network Zones
- Sign-On Policy
- Global Session Policy
Before configuring the policies, the allowed IPs must be added to a network IP zone. This can be done in Security > Networks.
Okta Classic Engine
-
Navigate to Security > Authentication > Sign On.
-
Create a new Sign On Policy and assign it to the Everyone group (or target group).
-
Create a rule to allow authentication if the request is coming from within the configured network zone. This will be the first rule in the priority list.
-
Create a second rule that denies access requests coming from outside the network zone. This will be the second in the evaluation priority list.
Okta Identity Engine
-
Navigate to Security > Global Session Policy.
-
Create a new policy and assign it to the Everyone group (or target group).
-
Create a rule to allow authentication if the request comes from within the configured network zone. This will be the first rule on the priority list.
-
Create a second rule that denies access for requests coming from outside the network zone. This will be the second rule on the evaluation priority list.
NOTE: It is highly recommended to create another policy on top of the denying one that will allow at least one Super Administrator to access the tenant from anywhere. This will offer a backdoor in case the configured IP range becomes inaccessible.
Related References
- Add a Global Session Policy Rule
- Configure an Okta Sign On Policy
- Network Zones
- How to Add IP Addresses from ThreatInsight to IP Allowlist in Network Zones
- Network zone allowlists for SSWS API tokens (February 2024)
