<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
IP Behavior in Okta Sessions and How to Handle Mid-Session IP Changes
May 2, 2025
Okta Identity Engine
Administration
Overview

Okta’s sign-on policies can restrict access based on IP addresses at the time of authentication. However, in certain cases, users may change their IP address mid-session (due to disconnecting from a VPN, for example). This article explains how Okta handles these scenarios and how to enhance session security using Continuous Access Evaluation (CAE). 

Applies To
  • IP Behavior in Okta Sessions
  • Authentication Policy
  • Mid-Session IP Changes
  • Continuous Access Evaluation (CAE)
  • Okta Identity Engine (OIE)
Cause

If an authentication policy is configured to only allow authentication from a specific IP range, and the user’s IP address changes during their session, the session remains valid. This applies to both SAML and OIDC flows, because:

  • The IP address is evaluated at the time of the initial authentication.
  • The session or access token remains valid post-authentication.
  • Okta does not automatically re-evaluate the user’s IP address after authentication unless explicitly configured.

 

This behavior is impacted by how re-authentication frequency is set in the sign-on policy:

  • Prompt for authentication ”Every time user signs in to resource".
    • IP restrictions are evaluated on each login attempt.
  • Prompt for authentication “When Okta global session doesn’t exist”.
    • This option checks conditions only when there is no existing session, allowing sessions to persist longer without re-evaluation.
Solution

If maintaining strict IP-based session security is a requirement for the environment, consider enabling Continuous Access Evaluation (CAE) and/or adjusting re-authentication frequency settings in the sign-on policy to ensure more consistent IP checks.

 

Enable Continuous Access Evaluation (CAE)

Also known as Session Protection with Identity Threat Protection, it detects and responds to mid-session changes, such as IP address changes.

  • When an IP or device context change is detected, ITP reevaluates the global session policy for the Okta session. It also reevaluates authentication policies (including device context conditions) for all active app sessions that are associated with the Okta session.
  • See Session protection with Identity Threat Protection for reference and more details.

 

Adjusting re-authentication frequency

Make sure the authentication policy is configured to prompt for authentication ”Every time user signs in to resource". 

  • It is also possible to configure policies using risk signals like: 
    IF Risk is Medium AND security.behaviors.contains("Velocity")  
THEN Allow access after successful authentication using any 2-factor method

 

 

Related References

Recommended content

Still looking for help?
Loading
IP Behavior in Okta Sessions and How to Handle Mid-Session IP Changes