We had several discussions with Okta on this topic. That functionality is currently not part of the product. We even engaged professional services and the best solution we could come up with was a single page OIDC app that displays a static web page with a single "Accept" button which, when clicked, sets a custom bool attribute to TRUE in the user's Okta profile. An Okta group rule includes all accounts where that custom attribute is not TRUE, and the group is used to assign users to the app (so once they accept, the rule drops them from the group and they get unassigned from the app). Lastly, the app itself is configured to launch automatically upon login for all assigned users. The downside of this solution is that there's no way to force users to accept, since they can just close the tab without clicking the button, which leaves them at their dashboard where they can launch their apps (unless you configure a sign-in policy on all your other apps to deny access to members of that group). Another downside is that the automatic launch of the app is treated as a pop-up in most browsers, so you have to have a solution for that (depends on your environment) or else your users will never see the TOS page. To work around that, we created a bookmark app that points to the embed URL of the OIDC app, giving users something to click on to launch the app if it gets blocked by the browser. It's not an idea solution, by any means, but legal and HR signed off on it.