Configure an app sign-on policy
App sign-on policies allow or restrict access to applications. To set up an app sign-on policy:
- In the Admin Console, go to .
- Click the desired app.
- Click the Sign On tab.
- Scroll down to the Sign On Policy section.
- Create a rule:
- Click Add Rule.
- Enter a name in the Rule Name field.
- Decide to whom the rule applies by selecting an option under the People section.
- Users assigned this app: Specify the users who are assigned this specific app.
- The following groups and users: Assign the rule to groups or specific users who have been assigned the app.
- To exclude specific groups and users from the policy rule, select Exclude the following users and groups from this rule. Then specify groups and users.
- Configure Conditions:
- (Microsoft Office 365 apps only.) In If the user's client is any of these, select the client types that you want to trigger the actions you configure in the Actions section (Web browser or Modern Auth client). For details, see the Client section in Office 365 Client Access Policies.
- In And the user's platform is any of these, select the mobile and/or desktop platforms that you want to trigger the actions you configure in the Access section.
- Configure the Actions that you want to enforce based on the conditions you specified in the Conditions section:
- In the setting When all the conditions above are met, sign on to this application is select either Allowed or Denied.
- (SAML apps only) Select Prompt for re-authentication and specify how frequently you want users to be prompted to re-authenticate. The time period that you specify begins from the moment the user last authenticated into Okta.
Note:
- A 10-second grace period applies after a user authenticates with their password. During this grace period, users aren't prompted for their password again if Every sign-in attempt is selected under Re-authentication frequency.
- This feature is available for all SAML-configured apps.
- Because SWA apps don't support re-authentication, you can't change the sign-on method from SAML to SWA if re-authentication is selected.
- Select Prompt for factor to require users to choose an MFA option, and specify how frequently you want users to be prompted. The Multifactor Settings link takes you to the Multifactor Authentication page, where you can choose your factors.
- Click Save.
Location: Specify the location to which you want the policy to apply. Available options are Anywhere, In Zone, or Not in Zone.
If you select In Zone, enter the name of a zone. You configure zone names in Security > Network. See Network zones and Dynamic zones.
Client: Choose the conditions that you want to trigger the actions you configure in the Access section:
Device Trust: Specify the trust status of the device that you want to trigger the actions you configure in the Access section. The Trusted and Not Trusted options are only selectable if Device Trust is configured in Security > Device Trust. Okta Device Trust determines devices to be trusted based on the presence of a trust signal (MDM enrollment; certificate; support for Universal Links).
Access:
Prioritize rules
Set rule precedence by clicking the blue arrows to set the priority number. A rule with a priority value of 1 has first priority and takes precedence over all other rules.
Manage rules
- To edit a rule, click the pencil icon and select the Edit rule option.
- To disable a rule, click the pencil icon and select the disable rule option.
- To delete a rule, click the X icon.
User experience
If a user is blocked from an app, the following message appears:
Access to this application isn't allowed at this time due to a policy set by your administrator.
If you're wondering why this is happening, please contact your administrator.
If it's any consolation, we can take you to your Okta home page.
Related topics
Configure an Okta sign-on policy