<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z0000AFr0hhCQBOkta Identity EngineWorkflowsAnswered2024-09-24T17:46:08.000Z2024-09-23T15:37:19.000Z2024-09-24T17:46:08.000Z

CharlesG.99538 (Customer) asked a question.

September 23, 2024 at 3:37 PM
Which one has precedence , Authentication Sign-On Policy or Network Block Country Policy

Hello,

 

We created a Traveling Authentication Policy group that we apply to users who travel to different countries, it basically says if the ip is from anywhere etc. allow access

 

But we also have a Network Zone rule that blocks countries -- we haven't had much issues with users accessing OKTA overseas until last week. We had a user who we applied the Travel Auth group.. but could not get into OKTA (no user logs of any activity in OKTA that day) -- once we removed the said country from the Network Zone block rule , they were able to access

 

my question is , from our understanding, that the Authentication we created to allow the users from any IP supersedes the Network Zone block rules. is this accurate ?

  • 4 answers
  • 290 views

  • Mihai Negoita - Okta (Okta, Inc.)

    Yes, any user that tries to reach your site from an IP or zone that is marked as "IP block list" zone type in the Security/Networks section of the Okta Admin dashboard, will not get a chance to be evaluated via authentication policies.

    You can setup zones that are not marked for "blocking", then configure authentication policies that explicitly DENY access when users come from those zones. This however, would not prevent malicious attempts from potentially locking accounts due to multiple failed login attempts.

    Expand Post
    Selected as Best

  • Mihai Negoita - Okta (Okta, Inc.)

    Hi @CharlesG.99538 (Customer)​ , Thank you for reaching out to the Okta Community! 

     

    IPs added to the BlockedIpZone or custom IP/Dynamic Zones explicitly marked with the "Block access from IPs matching conditions listed in this zone" take precedence over authentication policies. User attempting to reach your Okta tenant URL will see a 403 error and will not get the option to attempt login.  

    Authentication policies are only evaluated once the user inputs credentials.  

     

     

    If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you. 

     

    Hope my answer helps! 

     

    --

    Help others in the community by liking or hitting Select as Best if this response helped you.

    Expand Post

    • CharlesG.99538 (Customer)

      I really appreciate the reply! just to confirm -- that the network block countries/ip list supersedes any Authentication sign on policies

       

      • Mihai Negoita - Okta (Okta, Inc.)

        Yes, any user that tries to reach your site from an IP or zone that is marked as "IP block list" zone type in the Security/Networks section of the Okta Admin dashboard, will not get a chance to be evaluated via authentication policies.

        You can setup zones that are not marked for "blocking", then configure authentication policies that explicitly DENY access when users come from those zones. This however, would not prevent malicious attempts from potentially locking accounts due to multiple failed login attempts.

        Expand Post
        Selected as Best
This question is closed.
Loading
Which one has precedence , Authentication Sign-On Policy or Network Block Country Policy