Navigate

Check: OKTA-APP-001710

Okta Identity as a Service (IDaaS) STIG: OKTA-APP-001710 (in version v1 r1)

Title

Okta must be configured to disable persistent global session cookies. (Cat II impact)

Discussion

If cached authentication information is out of date, the validity of the authentication information may be questionable. Satisfies: SRG-APP-000400, SRG-APP-000157

Check Content

From the Admin Console: 1. Select Security >> Global Session Policy. 2. In the Default Policy, verify a rule is configured at Priority 1 that is not named "Default Rule". 3. Click the "Edit" icon next to the Priority 1 rule. 4. Verify "Okta global session cookies persist across browser sessions" is set to "Disabled". If the above it not set, this is a finding.

Fix Text

From the Admin Console: 1. Go to Security >> Global Session Policy. 2. Select the Default Policy. 3. In the "Rules" table, make these updates: - Click "Add rule". - Set "Okta global session cookies persist across browser sessions" to Disable.

Additional Identifiers

Rule ID: SV-273206r1098885_rule

Vulnerability ID: V-273206

Group Title: SRG-APP-000400

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-001942	The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts.
CCI-002007	Prohibit the use of cached authenticators after an organization-defined time period.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
IA-2(9)	Network Access to Non-privileged Accounts - Replay Resistant
IA-5(13)	Expiration of Cached Authenticators