Administrators must configure a Global Session Policy or Global Sign-on Policy for users authenticating to the Okta LDAP interface to manage authentication requirements, multifactor authentication (MFA) prompts, and application access controls in both the Okta Identity Engine (OIE) and Okta Classic Engine.

• Okta Identity Engine (OIE)
• Okta Classic Engine
• Directories
• LDAP Interface
• Global Session Policy
• Global Sign-on Policy

Watch the following video to learn how to navigate to the security settings, create a new policy assigned to specific groups, and configure the authentication rule for the LDAP interface in both Okta Identity Engine and Okta Classic Engine.

How is a Global Session Policy configured for the LDAP Interface in Okta Identity Engine (OIE)?

Navigate to the security settings to create a new Global Session Policy, assign it to specific groups, and configure the rule to authenticate via the LDAP interface.

1. Navigate to Security > Global Session Policy.
2. Select Add policy.
3. Enter a policy name and an optional policy description.
4. Under Assign to groups, choose the groups to include for this Global Session Policy.
5. Select Create policy and add rule.
6. On the Add Rule page, enter a rule name.
7. Under Policy settings, locate AND Authenticates via and select LDAP interface from the dropdown menu.
8. Choose additional policy settings as needed to limit the User source IP, the identity provider, the ThreatInsight behavior, and the ThreatInsight risk.
9. Choose to Establish the user session with A password.
10. Choose whether Multifactor authentication (MFA) is Not required or Required.
11. If MFA is required, choose how often Users will be prompted for MFA to be At every sign in.

NOTE: The LDAP interface only allows a password and certain additional factors, such as an Okta Verify Push. Other factors, such as Okta FastPass or Personal Identity Verification (PIV) / Common Access Card (CAC), cannot be used to authenticate to the LDAP interface.

Review the following image for an example of the configured policy settings.

How is a Global Sign-on Policy configured for the LDAP Interface in Okta Classic Engine.

Access the authentication settings to add a new sign-on policy, assign the appropriate groups, and set the authentication rule for the LDAP interface.

1. Navigate to Security > Authentication and select Sign On.
2. Select Add New Okta Sign-on Policy.
3. Enter a policy name and an optional policy description.
4. Under Assign to groups, choose the groups to include for this Global Sign-on Policy.
5. Select Create policy and add rule.
6. On the Add Rule page, enter a rule name.
7. Under Policy settings, locate AND Authenticates via and select LDAP interface from the dropdown menu.
8. Choose additional policy settings as needed to limit the User source IP and the identity provider.
9. Under Authentication, choose whether users authenticate using a Password or Password + Authenticator.

NOTE: The LDAP interface only allows a password and certain additional factors, such as an Okta Verify Push. Other factors, such as Okta FastPass or Personal Identity Verification (PIV) / Common Access Card (CAC), cannot be used to authenticate to the LDAP interface.

Review the following image for an example of the configured rule in Okta Classic Engine.

Related References

• Set up and manage the LDAP Interface
• Global session policies
• Configure an Okta sign-on policy