<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Okta SSPR: Successful Password Reset even Sign in policy denied access from the location
Jun 5, 2026
Okta Classic Engine
Okta Identity Engine
Administration
Overview

Okta restricts email subject line customization to simple variable substitution, such as ${user.profile.firstName}. While the email body supports Velocity Template Language for complex logic, the subject line does not support logic application by design. Administrators customizing email brand subject lines must rely solely on variable insertion.

Applies To
  • Okta Identity Engine (OIE)
  • Okta Classic Engine
  • Self-Service Password Reset (SSPR)
  • Network Zones
Cause

The SSPR authenticator policy rule in Okta leaves the user IP address setting as Anywhere instead of restricting it to approved network zones.

Solution

To resolve this issue, the SSPR authenticator policy rule must be configured to restrict password resets by network zone, rather than accepting requests from any IP address.

Step-by-Step Resolution

 

Follow these exact steps to implement the fix:

Step 1: Access the Admin Portal

  1. Log in to the Okta Admin portal.
  2. Use the administrator credentials.
  3. Please ensure authenticator policy management permissions are assigned.

 

Step 2: Navigate to Password Authenticator Settings

  1. In the top navigation menu, select Security.
  2. From the Security dropdown menu, select Authenticators.
  3. From the authenticators list, locate and click on Password.
  4. The Password authenticator settings page will open.

 

 

Step 3: Identify and Edit the Relevant Policy

  1. Click the Edit button next to the authenticator policy that users are hitting (the policy rule affecting the users).
  2. Review the list of policy rules displayed.
  3. Identify the specific rule that needs modification.
  4. Click the Edit button for that specific rule.

 

 

Step 4: Modify the User IP Address Setting

 

Current Misconfiguration

  • The "User IP is" setting should currently be set to anywhere or any.

 

 

Required Change

  1. Locate the "User IP is" field in the rule configuration.
  2. Change the setting from "anywhere" to "within network zone".
  3. Select the appropriate network zone(s) where SSPR should be allowed.
    • Choose the network zone(s) that match the security policy.
    • Typically, this should be the same zone(s) used for application access restrictions.

 

 

Step 5: Save Configuration

  1. Click the Save or Update button to apply the changes.
  2. Confirm the policy has been updated in the authenticators list.
  3. NOTE: Any timestamp indicating when the change was made.
    Edit rule  

 

Recommended content

Still looking for help?
Loading
Okta SSPR: Successful Password Reset even Sign in policy denied access from the location