Authentication

Applicability

This rule can be applied to Resource Policies or Network Sign In Policies. The Admin Console's authentication policy cannot be edited.

Functionality

This rule allows you to set the frequency on which users must re-authenticate. For example, if a user attempts to access a Resource with an authentication rule set at 6 hours, if they have not authenticated in the past 6 hours, they will be prompted to authenticate.

Note that we cannot control how your identity provider handles this authentication, and some providers may not require a user to reenter their password or provide any other credentials. If it is important that your users actively re-authenticate within each authentication session period, we recommend that you configure your IdP to require passwords every time a user authenticates.

If a user has authenticated within the time window, they will not need to reauthenticate, even against a different Security Policy. So for example, if the Network Sign In Policy is 1 day and a Resource Policy is set to 6 hours, a user who logs in and then tries to access the Resource will not be required to authenticate twice, but will be prompted if they try to access it more than 6 hours after sign-in.

Advanced usage

Some identity providers allow creating multiple Access Policies, which allow you to specify different authentication behavior directly in your IdP. Most use cases do not require this level of customization.

If you do have multiple Access Policies configured, you can select which Access Policy is used for user authentication in the authentication rule, as shown below.


Did this page help you?