Pedro Mora
Go back

Okta Certified Professional — Lab 2: Global Session Policy

These are my lab notes from the Okta Professional Certification hands-on track. This lab maps to the Security Enforcement use case and builds directly on Lab 1.

Maps to exam: Part II — Security Enforcement (25%) · See the full lab map on the Okta Professional Cert Study Map or the official study guide.

The Three-Policy Model

Before touching the tenant, get this table locked in — the exam tests distinctions, not just configuration steps.

PolicyControls
Authenticator EnrollmentWhat authenticators a user must or may enroll in
Global Session PolicyRequirements to establish an Okta session
App Authentication PolicyRequirements to access a specific application

This lab is about the middle row: the session layer.

Lab Objects

Group:        CERT MFA Required
Test user:    cert.employee1   ← in the group
Control user: cert.employee2   ← not in the group

cert.employee1 must be in CERT MFA Required before you start. Verify this first.

Create the Global Session Policy

Security → Global Session Policy

Create a new policy:

CERT High Assurance Session Policy

Assign it only to CERT MFA Required. The default policy handles everyone else.

Create the Rule

Inside the new policy, create a rule named MFA REQUIRED.

Rule design

Rule configuration

Policy configuration overview

The rule should require a second factor to establish an Okta session. Priority matters — Okta evaluates rules top to bottom and stops at the first match.

Test Plan

Use a private/incognito browser for each test to start from a clean session state.

Test 1 — MFA Group User

Sign in as cert.employee1.

Expected: password prompt, then an additional verification step before the Okta dashboard loads.

MFA user login — additional verification required

Test 2 — Control User

Sign in as cert.employee2.

Expected: default behavior — no additional step beyond password.

Control user login — default behavior

If both users behave the same way, check group membership and policy assignment before changing anything else.

Verify in System Log

Reports → System Log → filter by cert.employee1

You should see the policy evaluation event confirming the rule matched and MFA was required.

System log showing policy match

The chain you’re proving:

Group membership → Global Session Policy match → stronger session requirement

What You Should Be Able to Explain After This Lab

A Global Session Policy controls how a user establishes an Okta session. It is broader than an app Authentication Policy. It does not assign applications, and it does not by itself decide which authenticators are enrolled. It decides what assurance is required for session access.

Mini DOMC Drill

Answer mentally: YES or NO.

  1. A Global Session Policy controls access to the Okta session.
  2. A Global Session Policy assigns users to applications.
  3. Group membership can determine which Global Session Policy applies.
  4. An authenticator can be enrolled but not required during sign-in.
  5. App Authentication Policies and Global Session Policies are the same thing.
Answers
  1. YES
  2. NO
  3. YES
  4. YES
  5. NO
Share this post on:
Share this post via WhatsApp Share this post on Facebook Share this post on X Share this post via Telegram Share this post on Pinterest Share this post via email
Previous Post
Okta Certified Professional — Lab: Real SAML Integration with IAMShowcase
Next Post
Okta Certified Professional — Lab 1: Authenticator Enrollment Policy