Multiple matching Sign On Policies---Which one wins?

Under SecurityAuthenticationSign On I can create several Okta Sign-on Policies. I can change the order of these policies by dragging them up and down. If a user logging in matches multiple policies and the policies enforce conflicting rules. For example, if the first policy in the list has “Session expires after” set to 30 minutes but the second policy in the list has “Session expires after” set to 60 minutes, if a user logs in and matches both policies, how long will their session last?

Is there ever a scenario where behavior from both policies would be enforced or is it always one policy that gets enforced?

If the user logging in meets the criteria set for the first sign on policy (say, based on their group membership), ONLY that policy will be evaluated/applied to them and all subsequent policies/rules will be ignored. So yes, only one policy will be enforced. You may want to read our concept doc on how our policies work.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.