This article explains why users may access applications from unauthorized geographic locations despite having restrictive policies in place. This guide provides steps to prevent session-roaming bypasses, in which a user changes their Internet Protocol (IP) address after an initial session is established.

• Okta Identity Engine (OIE)
• Okta Classic
• Global Session Policies
• Authentication Policies
• Dynamic Network Zones
• Session Roaming

The issue occurs because the Global Session Policy is evaluated only during the initial login, when the session cookie is established. If a user changes their IP address after logging in, the Global Session Policy is not re-evaluated for every subsequent application request. Access is then determined by the application-level Authentication Policy; if that policy lacks a specific rule to deny the blocked Network Zone, the user maintains access based on the existing valid session.

To prevent unauthorized access during roaming sessions, use one of the following methods.

Option 1: Perimeter Block (Recommended)

This method enforces restrictions at the network layer to block all requests from specific locations.

1. Navigate to Security > Networks.
2. Edit the "Blocked Countries" zone and ensure it is an Enhanced Dynamic Zone.
3. Select the checkbox Block access from IPs matching conditions listed in this zone.
4. Select Save.

Option 2: Layered Defense

This method ensures that restrictions are checked every time an application is accessed.

1. Navigate to Security > Authentication Policies.
2. Select an active application policy.
3. Select Add Rule to create a Priority 1 rule.
4. Configure the rule:
   • IF User is in Network Zone: "Blocked Countries"
   • THEN Access is: Denied
5. Select Save.
6. Repeat these steps for every active application policy.