<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z000075ulCXCAYOkta Classic EngineAuthenticationAnswered2023-10-17T14:00:37.000Z2021-07-29T16:07:36.000Z2021-08-11T14:44:51.000Z

David Genenz (Customer) asked a question.

July 29, 2021 at 4:07 PM
How do Global Sign on Policies and Individual App Sign on Policies Processing Order

Howdy,

 

I'm assuming this has already been answered but I wasn't able to locate it so I apologize if the answer is somewhere obvious and I believe I know the answer but I'm looking for confirmation (or correction).

 

My understanding (or assumption) when some is using Okta that access to Okta and any Okta applications will first be evaluated through the Global Sign on policies under Security > Authentication > Sign on. After that has occurred, any application launched or accessed would pass through that specific application's sign on policies.

 

I'm also assuming a specific application can't be made less restrictive than the global sign on policies, just more restrictive.

 

So if I set a rule in general global sign on policies to require MFA when off internal network for everyone, even if an application's sign on policy is set to the default of allow/anywhere/any client without MFA, if someone not currently logged into Okta tries to launch that application while off the internal network, they would still be prompted to authenticate to Okta and would be prompted for MFA. The individual app sign-on policies would NOT bypass the global settings.

 

Does that sound accurate? My testing pretty much confirms this but looking for additional confirmation or clarification if that's inaccurate.

 

Thanks in advance,

David

  • 2 answers
  • 650 views

  • CosminM.25984 (Vendor Management)

    Hi David,

    Cosmin here, with Okta Support,

     

    When accessing an application (SP initiated flow in particular), the Okta Org SignOn Policies will be evaluated first, then the Application Policies.

     

    The application Policies cannot override Org ones, and yes, they allow granular configurations. This is allows relaxed configurations on org level and/or enhanced security for business critical/sensitive applications. One example, would be a Device Trust setup on application level, that cannot be enforced on organization level.

    If a user first logs into Okta (end-user Dashboard) and is prompted for MFA, than accesses an application that is also enforcing an MFA prompt, the second prompt (app level) will not be triggered within a 5 minutes interval since the Org access event.

     

    To summarize, Org level policies are prioritized over application policies.

    Expand Post
This question is closed.
Loading
How do Global Sign on Policies and Individual App Sign on Policies Processing Order