On This Page

Before you begin

An Okta Sign-On Policy helps you control who can sign in and how a user is allowed to sign in to Okta, including whether they are challenged for MFA and how long they are allowed to remain signed in before re-authenticating. Additionally, you can configure App Sign-On Policies for each application for extra levels of authentication that you may want performed before an application can be accessed.

Add a rule to the Okta Sign-On Policy, for example, when you need to make sure that only users who are inside your corporate network can access your application, or you need to exclude certain roles in your organization from accessing it. Add a rule for an App Sign-On Policy, for example, to prompt groups that are assigned to your app to re-authenticate after 60 minutes. There is only one App Sign-On Policy, but you can add as many rules to it as you need.

You can specify any number of Okta Sign-On Policies and the order in which they are executed. If a policy in the list doesn't apply to the user trying to sign in, the system moves to the next policy. There is one required organization-wide policy named Default. By definition, the Default policy applies to all users.

In addition to the Default policy, which you can't delete, there may be another organization-wide policy named Legacy that is present only if you have already configured MFA. This policy reflects the MFA settings that were in place when you enabled your Sign-On Policy and ensures that no changes in MFA behavior occur unless you modify your policy. If needed, you can delete it.

Note: See Policies for an overview of the supported Okta policies and how they work.

Configure sign-on policies for common scenarios

This guide provides step-by-step instructions to configure an Okta Sign-On Policy and an App Sign-On Policy for two of the most common scenarios:

This guide assumes that you:


If you need help or have an issue, post a question on the Okta Developer Forum (opens new window).