<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
How Authentication Works for Okta Identity Engine Enabled Tenants
May 1, 2025
Administration
Single Sign-On
Okta Identity Engine
Overview

Okta Identity Engine is Okta's new authentication pipeline that provides valuable new features and a more flexible approach to authentication needs. Authentication in Okta Identity Engine-enabled tenants involves two main sequences controlled by Global Session Policies and Authentication Policies. Global Session Policies manage post-identification actions like access, challenges, and time limits. Authentication Policies validate user conditions for sign-in and factor requirements, but differ from application sessions.

This article provides a high-level introduction.

Applies To
  • Okta Identity Engine (OIE)
  • Global Session Policies
  • Authentication Policies
Solution

Authentication in Okta can be divided into two main sequences controlled by:

  • Global Session Policies 
  • Authentication Policies 



Global Session Policies

In Okta, global session policies control what happens after a user is identified. All users must have a valid global session policy. These policies determine actions like granting access, adding challenges, and setting time limits between challenges. The Global Session Policy is synonymous with the Okta session policy. 
 

These policies can be set to require specific authentication factors. There is a default policy for all users, allowing access with a password, Identity Provider (IdP), or any allowed factor. Policies can be customized or added as needed.

 


Authentication Policies

Every app in the organization has an Authentication Policy. Authentication policies validate if users meet specific conditions before allowing sign-in and enforce factor requirements accordingly. Authentication Policies are not synonymous with the application session. They solely regulate the additional requirements imposed on users seeking access to connected applications and the frequency at which these requirements must be enforced. At the same time, the Global Session Policy is valid. 

 

Though authentication policies may have similarities with global session policies, they serve different purposes.

At a very high level, Okta authentication can be illustrated under the following diagram: 

Diagram 

Recommended content

Still looking for help?
Loading
How Authentication Works for Okta Identity Engine Enabled Tenants