Manual Chapter : Adding primary authentication to a per-session policy

Applies To:

Show Versions Show Versions


  • 16.0.1, 16.0.0
Manual Chapter

Adding primary authentication to a per-session policy

Before you can configure a per-session policy to use Active Directory authentication, you must have at least one Active Directory AAA server configured. You also need to have created an access profile of type Modern.
This example describes how to add primary authentication to the per-session policy by creating a logon page to obtain user credentials and then authenticate the user against an external Active Directory server before granting access. You can use other methods of authentication as long as your Okta organization has user entries with the same primary authentication.
  1. On the Main tab, click
    Profiles / Policies
    The Access Profiles (Per-Session Policies) screen opens.
  2. In the Per-Session Policy column, click the
    link for the access profile you want to configure.
    The visual policy editor opens the access policy in a separate screen.
  3. Click the
    icon anywhere in the access policy to add a new item.
    Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  4. On the Logon tab, select
    Logon Page
    and click the
    Add Item
    The Logon Page Agent properties screen opens.
  5. Make any changes that you require to the logon page properties and click
    The properties screen closes and the policy displays.
  6. Right after the Logon Page, click the
  7. On the Authentication tab, select
    AD Auth
    and click
    Add Item
    A Properties popup screen opens.
  8. From the
    list, select the AAA Active Directory server to use for authentication.
  9. You can set other options, as needed, then click
  10. At the end of the Successful branch, click
    and change it to
This task adds a logon page and Active Directory authentication to the per-session policy which looks like this: