<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
How to Add Okta Expression Language in Authentication Policy Rules
Nov 4, 2025
Administration
Okta Classic Engine
Okta Identity Engine
Overview

The Authentication Policy rule offers the option to add a condition using Okta Expression Language.

add a condition using Okta Expression Language 

Applies To
  • Using Expression Language
  • Okta Identity Engine (OIE)
Solution

To add this condition, follow the next steps:

  • Log in to the Admin Dashboard.
  • Navigate to Security > Authentication Policies > App sign-in.

Authentication policies

  •  Select an existing policy or click Add a Policy.
  • Click Edit or Add Rule.
  • Locate The following custom expression is true section and add the expression.
    • For example, to "Restrict a rule to members of a certain group", use: 
      user.isMemberOf({'group.profile.name': 'Managers', 'operator': 'EXACT'})
    • To restrict a rule based on the user's profile attributes, such as department, state, or cost center, use: 
      user.profile.department == "Help Desk"
      • Or use a combination of conditions: 
        user.status == 'ACTIVE' && user.profile.department == "Help Desk" 


  • Save changes and test.


 


Related References


Recommended content
Still looking for help?
Loading
How to Add Okta Expression Language in Authentication Policy Rules