This article explains how to restrict or allow access to an Okta tenant based on location while also allowing a way to grant access to users who are traveling to other countries or need to gain access outside of the specified location.

• Network Zones
• Sign-On Policies

1. Create a group by going to Directory > Groups > Add group. In this example, we will name it "Users on travel".
    

2. To define a Dynamic Network Zone, from the Admin Dashboard, go to Security > Networks > Add Zone > Dynamic Zone > Name it "US Zone" or any other desired name > Locations = United States > Save.

3. For orgs running on Okta Identity Engine (OIE), navigate to Security > Global Session Policy > Add policy.
4. For orgs running on Okta Classic, navigate to Security > Authentication > Sign On > Add New Okta Sign-on Policy.
5. Name the policy as desired (this example will use "Allow US traffic").
6. Navigate further to Assign to Groups and select the Everyone group.
7. Next, click on Create policy and add rule.
    

4. A second screen will pop up. Name the rule as desired (this example will use "Allow US rule") and configure the rule's policy settings as follows:
   •  IF User's IP is = Not in zone and select US Zone as per the screenshot below.
   • THEN Access is = Denied
      
5. Click Create Rule. 
6. Move this policy to the top of the priority list.

1. Click again on Add New Okta Sign-on Policy > Name the policy "Allow users on travel" > Assign to Groups > Select Users on travel > Create policy and add rule > Name the rule "Allow travel rule" > THEN Access is = Allowed > Create rule.

 
NOTE: This policy should take precedence over the "Allow US traffic" policy in the priority list. The "Allow users on travel" policy should be at the top, followed by "Allow US traffic".
 

Related References

• About Okta sign-on policies - Classic Engine
• Global session policies - Okta Identity Engine
• About dynamic zones