SvcBancsAPITestT.08169 (Customer) asked a question.
Application Sign on Policy Rules to Deny access
I want to ensure a group of users only accesses an application from a specific IP range, and be denied if they are not.
I have set up the network zone, call it Users_A
Set a sign on policy: Applies to User_Group_A
Location: In Zone Users_Zone_A
Access: Allowed.
Further down the default rule is Allow access to anyone assigned the app, which is valid as other groups of users have no restrictions.
If a user is assigned to User_Group_A, but is trying to access the app from outside Users_Zone_A, is the deny implied?
If the rules are cascading, and I can't edit the default, how do I ensure I deny the example above?
Hi Greg Howley,
In order to achieve the above scenario, you need to set the deny policy for the group: User_Group_A, and should be given the top priority amongst the sign on policies.
Setting multiple policies with allow condition will no where restrict the users' access, hence at least one policy with the deny condition is a must for restricting the access to the application.
Kindly upvote the answer, if you feel your query has been addressed. Thank you!
I don't think this addresses my use case.
This restricts users from logging into Okta, not just a specific app.
Users from Group A may also require access to other applications that have no restrictions
Hello @1sqqt (1sqqt),
Thanks for posting.
You can specify the order in which policies are executed and add any number of policies. If a policy in the list does not apply to the user trying to sign in, the system moves to the next policy.
You can specify any number of policies and the order in which they are executed.
In addition, the order in which you add policies is also important. The first policy that matches the rule is applied; no other policies will be applied once the conditions have been met.
There are Global and Individual sign-on policy actions.
Change the order of all policies except the default policy by grabbing the dotted bar next to the policy name, as shown to the left of policy 1 below, and moving the policy to the desired position in the list.
Additional information and tips can be found here: https://help.okta.com/en/prod/Content/Topics/Security/policies/about-signon-policies.htmhttps://help.okta.com/en/prod/Content/Topics/Security/policies/configure-signon-policies.htm
In your case, the Policy Users_A will be applied before the Default Policy, so the deny will be executed. As the first policy that matches all the rules is applied, then no other rules will be applied, including the default.
Let us know if this helps you.
Regards,
Natalia
Okta Inc.
Hi Greg Howley,
If the sign on needs to be restricted to the specific application, follow the below steps:
Please ensure to have right priorities set for the policies.
Enclosed are the snapshots with the policy conditions that can be made use of.
Exactly what I have tried, but the user logs into okta from the specific zone and the application appears locked.
Hi Greg Howley,
First of all check whether the client’s IP address is In Zone and then you have to check whether the client’s IP address is shown in the logs, if the client uses proxy okta will take the gateway IP. In this case you have to use X-Forwarded-For (XFF) to identify the original IP address. To enable that you have to request to the Okta support team