This article provides information related to the Default policies found in Okta.
- Default Policy
Okta sign-on policies can specify actions to take for allowing access, such as prompting for a challenge and setting the time before prompting for another challenge.
Okta provides one default policy for each policy type, named Default. It is a required policy that applies to new applications by default or any users for whom other policies in the Okta org do not apply. This ensures that there is always a policy to apply to a user in all situations.
- A default policy is required and cannot be deleted.
- The default policy is always the last policy in the priority order. Any added policies of this type have higher priority than the default policy.
- The default policy always has one default rule that cannot be deleted. It is always the last rule in the priority order. New rules added to the default policy will have a higher priority than the default rule.
Okta Identity Engine (OIE) allows admins to vary authentication flows to applications based on group membership, device management, device posture, network zones, risk evaluation, user behavior, and more.
If an access request does not match any of the rules, it usually falls to the Default Catch-All rule. In most scenarios, the default catch-all rule will allow access if primary authentication (such as a password or access to an email inbox) is satisfied. This is the default setting to avoid locking legitimate admins/users out while the org is being configured.
