<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z00008ObWokCAFOkta Classic EngineMulti-Factor AuthenticationAnswered2023-09-21T01:40:06.000Z2022-11-21T15:02:43.000Z2022-11-21T20:13:56.000Z

SvcBancsAPITestT.08169 (Customer) asked a question.

November 21, 2022 at 3:02 PM
Sign on policy with multiple conditions including MFA

I have a custom application setup that is for CIAM.

Our clients are corps that have varying requirements.

  1. Some want to restrict their employees to only access our app from their corporate network, so I configured the signon policy to identify those users (by group membership), setup network zones for their public IPs and deny access for any members of said group that aren't coming from the zone.
  2. Some do not have those restrictions, so we enforce MFA based on group membership.

 

How do I create a policy that accounts for IP restriction and MFA? Note that I cannot combine groups or network zones. All clients must be segregated.

 

If *1 also wants MFA & I switch the deny to a prompt for MFA, does that mean that someone who is a group member but accessing the app from outside the defined zone will not have the policy applied and will get the default policy (which is allow because we have some clients with no restrictions at all)?

  • 1 answer
  • 471 views

  • DonF.81354 (Customer)

    To clarify the question, you would like a single sign-on policy that is capable of handling both MFA & network zone logic? This is possible, yes.

     

    Your policies might look something like this:

     

    1. IF "User's IP is 'Not in Zone' 'Zone X'" THEN "Access is 'Denied'"
    2. IF "User's IP is 'In Zone' 'Zone X'" THEN "Access is 'Allowed'" > "Multifactor authentication (MFA) is "Required"

     

    So keep in mind that policies are attached to specific groups, but you can have multiple rules within each. So for example, if client group 1 cannot login from X zone but can login from X zone if using MFA, that can be configured via rules underneath the appropriate policy.

     

    Further, you can create additional policies that would apply to other client groups and their MFA or network zone needs.

     

    Finally, Okta recommends the most restrictive policies/rules are placed at the top as they are processed down until one applies. Meaning, if user X is part of client group 1 & 2, ensure the most restrictive group policies are ordered first (therefore it is possible group 2 policies come before group 1 depending on your needs). Okta also suggests that the "default policy" is placed last in the order.

     

    Hope that helps! Thanks.

    Expand Post
This question is closed.
Loading
Sign on policy with multiple conditions including MFA