RobertC.79156 (Customer) asked a question.
Global Session Policy Okta sign on
I have a Global Session policy that is configured with "Any factor used to meet the Authentication Policy requirements and MFA is not required. No Persistance
I have an authentication policy setup with Possession factor only and contraints "Require user interaction". When i open up a new browser i am required to enter a password. Why do i need to enter a password when my authentication policy is set to "possession factor" only ?
Hello @RobertC.79156 (Customer) ,
Did you check the logs to be sure that, when you open a new browser tab it trigger the proper rule inside your authentication policy ?
When you create an authentication policy you have a "Catch-all Rule" who is automatically created. (Maybe your user felt on this rule and not the one you created with no MFA and possession factor.)
Hello @RobertC.79156 (Customer) Thank you for reacting out to our Community!
The reason for this is that with OIE, your password is also considered an MFA. Thus when you login, the password option will be asked and will be one of the options of MFA.
If you are looking to remove password completely, I would recommend to set up the policy with Possession Factor this way authentication will happen without a need for password.
Please also see our policy's doc below:
https://help.okta.com/oie/en-us/content/topics/identity-engine/policies/about-app-sign-on-policies.htm
Community members help others by clicking Like or Select as Best on responses. Try it today.
Earn Today: New Okta Community Badges Have Arrived
Ask the experts about Okta Privileged Access
The authentication policy is configured with Possession Factor this case okta verify with push. I have also checked and the correct policies are being applied. It works as expected in our okta sandbox environment, but in prod we are always prompted for a password to login to Okta.
This is the GSP being triggered:
access = "ALLOW"
authtype = "ANY"
behaviors = []
identity_provider = "ANY"
identity_provider_ids = null
mfa_lifetime = 0
mfa_prompt = null
mfa_remember_device = false
mfa_required = false
name = "Allowed - GSP Rule"
network_connection = "ANYWHERE"
network_excludes = null
network_includes = null
policy_id = "00p3rrf05szk5vzW5417"
primary_factor = "PASSWORD_IDP_ANY_FACTOR"
priority = 3
risc_level = "ANY"
session_idle = 180
session_lifetime = 5760
session_persistent = false
status = "ACTIVE"
users_excluded = []
This is the authentication policy being triggered:
access = "ALLOW"
constraints = ["{\"possession\":{\"deviceBound\":\"REQUIRED\"}}"]
custom_expression = null
device_assurances_included = null
device_is_managed = null
device_is_registered = null
factor_mode = "1FA"
groups_excluded = null
groups_included = null
inactivity_period = null
name = "AAL 2 - Unregistered Device"
network_connection = "ANYWHERE"
network_excludes = null
network_includes = null
policy_id = "rstaj2rr8doiUPych417"
priority = 4
re_authentication_frequency = "PT0S"
risk_score = "ANY"
status = "ACTIVE"
type = "ASSURANCE"
user_types_excluded = []
user_types_included = []
users_excluded = []
users_included = []
These are the correct policies, so i'm not sure as to why it is asking for a password