Sign-on policies can define different actions for UniFi Identity Enterprise sign-ins, such as granting access, requesting additional verification, or setting the time interval between verifications.
You can create as many policies as needed and arrange them in order. If a policy does not apply to the user attempting to sign in, the system will move on to the next policy in the list. However, a policy without a rule will not take effect.
Default Sign-On Policy
Default Sign-On Policy is created by default and is mandatory. It applies to all users, cannot be removed, and consists of two default rules: Default Rule for Identity Endpoints and Default Rule.
The priority of the Default Rule for Identity Endpoints is higher than that of the Default Rule. The main difference between the two is session lifetime, which is determined by the time of the user's last activity. Once the session ends, the user will be automatically signed out.
Default Rule for Identity Endpoints applies when a user signs in to UniFi Identity Enterprise through their Identity Enterprise mobile app (Android & iOS), Identity Enterprise desktop app (Windows & macOS), and Identity Enterprise app on UniFi Talk.
- Session Lifetime is 14 days, which is calculated based on the user's last activity.
- Maximum Session Lifetime is 90 days. Users will be automatically signed out from their Identity Enterprise endpoints after 90 consecutive days of being signed in, without any exceptions.
Default Rule applies to all other client scenarios.
- Session Lifetime is 2 hours, which is calculated based on the user's last activity.
- Maximum Session Lifetime is 30 days. Users will be automatically signed out from UniFi Identity Enterprise after 30 consecutive days of being signed in, without any exceptions.
Sign-On Policy Evaluation
UniFi Identity Enterprise merges the conditions of a policy and the conditions of a rule to determine whether a user is subject to a particular policy. Policies are typically broad in scope and can be applied to multiple users, while rules have specific conditions, such as the user's location or network status.
For instance, if you create a policy for the "Site Admin" group, you can specify conditions that are relevant to site admins. The policy rule could include restrictions on network zones that are only applicable to that specific site's networks.
- During policy evaluation, the conditions of a policy are matched with the conditions of its associated rules. Only when all the conditions are satisfied will the rules be enforced.
- A policy can include more than one rule, and the sequence of rules is crucial to determining users’ sign-in behaviors. To avoid potential conflicts, it's best to place prioritize restrictive rules in the list.
- If multiple rules exist within a policy, and the conditions of the first rule are not met, the system will skip that rule and evaluate the next one in order.
Create a Sign-On Policy
- Sign in to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud).
- Go to Security > Identity Firewall > Policy > Sign-On and click New Sign-On Policy.
- Enter the following information:
- Policy Name: Enter a name for the policy.
- Description: Enter a description for the policy.
Validity Period: Specify the validity period of the policy.
- Always: The policy is always effective unless you disable it.
- Specified time range: The policy is only effective within the specified time range. Tick the Based on users' time zones checkbox to ensure the time range reflects users' time zones.
- Recurring schedule: The policy is effective based on the recurring schedule.
Applied Users: Click Add User, select the users, groups, and roles that this policy will apply to, and click Add.
- Users: This policy only applies to the selected users. Input the user’s name in the search box.
- Groups: This policy only applies to the selected groups.
- Roles: This policy only applies to the selected roles.
- Click Create.
- Verify your account with an MFA method.
- You can continue to create a rule or create it later.
Create a Sign-On Policy Rule
Do either of the following:
- Create a new policy and rule: You'll be prompted to create a rule after a policy is created.
- Create a rule in an existing policy: Go to Security > Identity Firewall > Policy > Sign-On, click an existing policy, and go to Rules > Create Rule.
Enter the Rule Name and tick the “Enable this rule“ checkbox to enable it.
Go to Exclude Users (Optional) and click Add User to select the users you want to exclude from this rule. No user is selected by default.
Go to Conditions and set the following:
If the user's IP is: Specify the network zone to which this rule applies.
- Anywhere: The action is triggered no matter what the user's IP is. This is selected by default.
- Inside Zone: The action takes effect when the user's IP is within the set network zone range.
- Outside Zone: The action takes effect when the user's IP is outside of the network zone range.
And if their device platform is: Specify the device this rule applies to.
- Any Device
- Any device except for Android, iOS, macOS, and Windows
And if their client is: Specify the client this rule applies to.
- Any client
- Identity Enterprise desktop app (Windows & macOS)
- Identity Enterprise mobile app (Android & iOS)
- Identity Enterprise Manager
- Identity Enterprise Portal
- Desktop SSO
- Identity Enterprise app on UniFi Talk
And if their behavior is: Specify the behavior this rule applies to. Note: This condition is not available in the Identity Enterprise Basic Plan.
- Select the default behavior rule or the one you have created.
- If multiple behaviors are selected, this rule will be triggered if one of the conditions is satisfied.
- The behaviors mentioned will be assessed along with other conditions specified in this rule.
- If an IP address or network zone has been included and a behavior that specifies an IP address is also included, all the criteria must be met for the rule to be enforced.
- And if their risk level is: Define the risk level for the user's UniFi Identity Enterprise sign-in. Risk scoring is calculated using the user's past activities. Note: This condition is not available in the Identity Enterprise Basic Plan.
And if their identity provider is: Specify the identity provider for triggering the action. Note: This condition is not available in the Identity Enterprise Basic Plan.
- UniFi Identity Enterprise Account
- The IdPs you have configured
- If the user's IP is: Specify the network zone to which this rule applies.
Go to Actions and set whether to allow user access:
- Allowed: Allow users to access UniFi Identity Enterprise.
- Blocked: Do not allow users to access UniFi Identity Enterprise.
MFA: Specify whether MFA is required for UniFi Identity Enterprise sign-ins. If a policy specifies a particular MFA method, you cannot remove that MFA method until it is removed from all policies that require it.
- Not Required: Users can sign in without verifying their account.
- Any Factor: Users must verify their account using any MFA method.
Factor Sequence: Specify the factors required for user identity authentication. You can configure multiple factors to request users to complete a two-step authentication process. Once configured, users must authenticate using both the primary MFA and secondary MFA.
- Primary MFA (Required): Specify an MFA method that users must complete. This option only appears when "Factor Sequence" is selected. Click Add Secondary MFA if needed.
- Specific Factor: Select a factor for user identity authentication. Once configured, users must authenticate every time they sign in to UniFi Identity Enterprise.
- MFA Settings: Click it to go to Security > MFA and configure MFA methods.
When to Prompt for MFA:
- Every time: MFA is required for every sign-in attempt.
When using a new device: When users opt for "Do not ask me again" on the identity authentication page, their MFA information gets saved in the cookies of their trusted devices after a successful identity authentication. This means that they won't be prompted for MFA again as long as the cookies remain valid.
- Select "Don't prompt me again for MFA" by default: If this checkbox is ticked, the Don't prompt me again for MFA checkbox will be automatically selected by default on the user's identity authentication page.
After MFA lifetime for device cookie expires: When users opt for "Do not ask me again for the next [Number] minutes/hours/days" on the identity authentication page, their MFA information gets saved in the cookies of their trusted devices after a successful identity authentication. This means that they won't be prompted for MFA again as long as the cookies remain valid. Once the MFA lifetime for the device cookie expires, users will be required to undergo MFA again.
- MFA Lifetime: Set the MFA lifetime to a specific number of minutes, hours, or days.
Go to Session Lifetime and specify the sign-in session lifetime, which is determined by the time of the user's last activity. Once the session ends, the user will be automatically signed out. To provide granular access, different rules with different session lifetimes can be set for different users. For security reasons, it is recommended to set the session lifetime to the shortest duration.
Expire after Being Idle for:
- Minimum idle time is 1 minute and maximum idle time is 60 days.
- If there is a period of inactivity, the user's session will expire regardless of the Maximum Session Lifetime that has been set. "Expire after Being Idle for" takes precedence over maximum session lifetime.
Maximum Session Lifetime:
- Minimum session lifetime is 1 minute and the maximum session lifetime is 90 days.
- If maximum session lifetime has been set, the user's session will expire once session lifetime ends, even if "Expire after Being Idle for" has been set to a longer period of inactivity. Maximum Session Lifetime prevents session hijacking.
- Expire after Being Idle for: