andrewb.35481 (Customer) asked a question.
Authentication Policies - Using Expression Language to whitelist the Risk. Contradiction ?
Hello Community.
To avoid creating a number of rules we can use the expression language to whitelist LOW and MEDIUM risk. However, if I have "ANY" in the "Risk is" you would might think they contradict each other.
If the Risk is HIGH the ANY rule would pass, however, the expression condition is LOW and MEDIUM.
What is best practice?
Note: After testing, this does not allow HIGH risk.
Hi @andrewb.35481 (Customer) , Thank you for reaching out to the Okta Community!
I definitely understand the need to simplify things, but the way I'm reading this is that the custom expression field is meant for additional options i.e. maybe add behaviors to the list, but it's not intended to be used in a way that conflicts with the above fields.
https://help.okta.com/oie/en-us/Content/Topics/identity-engine/policies/add-app-sign-on-policy-rule.htm
That being said, without having the entire picture of your policies and the user's sign-in behavior and conditions, it's impossible for me to tell if what you are experiencing is expected or not.
If you continue to encounter issues with the configuration, I recommend that you open a case and work with one of our Support Engineers to clarify the matter.
If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you.
Hope my answer helps!
--------------------------------
Community members help others by clicking Like or Select as Best on responses. Try it today.