Using Okta Expression Language for Devices in Authentication Policy Rules
Last Updated:
Overview
Okta Expression Language can be used to create a custom expression for devices in the Authentication Policy Rule.
Applies To
- Okta Identity Engine (OIE)
- Authentication Policy
- Authentication Rule
Solution
Okta Expression Language attributes can be used in the authentication policy rules to grant access to Okta or applications at a higher granularity.
When creating a custom expression referring to devices, please note the following requirements:
- Always use
device.profile.registered == true, to include device conditions in the custom expression. - In general, device attributes can only be used if Okta FastPass is enabled.
Custom Language for devices can leverage both the device attributes and the Okta Expression Language.
In the example below, the custom expression used the device.profile.registered == true to specify the device must be registered and device.profile.displayName.substring(0,3).contains("X") to require that one of the first 3 letters of the device display name must contain the letter "X".
It is recommended to test the expression on a single application or a test user to prevent lockout scenarios.
