Access policies

You can use access policies to perform step-up and reauthentication during a single sign-on flow based on contextual information.

Access policies can be enforced at a federation or at API Protection for OAuth and OpenID Connect. The following list shows some example scenarios where access policies could be used.

Access policies can take contextual information as input:

Based on the contextual information, the administrator can choose from the following actions:

The user is allowed single sign-on access.
The user is denied single sign-on access.
The user must complete a challenge before single sign-on access can proceed.

Access policies are defined as JavaScript. See Access policy development.

After an access policy is defined, it can be applied, used, and enforced on the following types of deployments.

Access policies cannot be applied or used by the following deployments.

For more information, see Creating an access policy.