Multiple matching Sign On Policies---Which one wins?

drs · April 8, 2021, 8:23pm

Under Security → Authentication → Sign On I can create several Okta Sign-on Policies. I can change the order of these policies by dragging them up and down. If a user logging in matches multiple policies and the policies enforce conflicting rules. For example, if the first policy in the list has “Session expires after” set to 30 minutes but the second policy in the list has “Session expires after” set to 60 minutes, if a user logs in and matches both policies, how long will their session last?

Is there ever a scenario where behavior from both policies would be enforced or is it always one policy that gets enforced?

andrea · April 8, 2021, 8:26pm

If the user logging in meets the criteria set for the first sign on policy (say, based on their group membership), ONLY that policy will be evaluated/applied to them and all subsequent policies/rules will be ignored. So yes, only one policy will be enforced. You may want to read our concept doc on how our policies work.

system · April 9, 2021, 8:27pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.

Post		Replies	Views
In what order does all the policies get applied during a Auth Code flow? Questions	1	2683	February 12, 2024
Session Expiration using the Org Authorization Server (OIDC) OAuth/OIDC dotnet , api	2	8128	January 12, 2024
Testing Okta New Device Behaviour policy Questions	2	3575	September 23, 2020
How do I detect a Factor expiration using OKTA APIs API api	4	3555	June 9, 2021
Access App Specific Sign On Policy via API OAuth/OIDC	2	4564	January 17, 2024

Multiple matching Sign On Policies---Which one wins?

Related topics