Custom IdP factor
This is an Early Access feature. To enable it, contact Okta Support.
The Custom IdP factor allows admins to enable authentication with an OIDC or SAML identity provider (IdP) as extra verification. When configured, the end user sees the option to use the identity provider for extra verification and is redirected to that identity provider for verification. This verification replaces authentication with another non-password factor, such as Okta Verify.
Once a Custom IdP factor has been enabled and added to an multifactor authentication enrollment policy, users may use it to verify their identity when they sign in to Okta. End users are directed to the identity provider in order to authenticate and are then redirected to Okta once verification is successful.
This factor allows you to:
- Add a Custom IdP factor for existing SAML or OIDC-based IdP authentication.
- Link an existing SAML 2.0 IdP or OIDC IdP to use as the Custom IdP factor provider.
- Admin access to Okta is required to enroll and configure the Custom IdP factor.
- An existing identity provider must be available to use as the additional step-up authentication provider.
SAML and OIDC claims mapping
Okta expects the following claims for SAML and OIDC:
- For the SAML response, the subjectNameId claim is mapped to the Okta username.
- For the OIDC response, the preferred_username claim is mapped to the Okta username.
There are two stages to configure a Custom IdP factor:
- Add an identity provider to Okta.
- Enable the IdP authenticator.
In the Admin Console, go to Security > Identity Providers.
- Click Add identity provider and select the identity provider you want to add.
- Click Next. The identity provider's setup page appears.
- Each identity provider page includes a link to the setup instructions for that identity provider; Okta recommends that you read these instructions to learn about how to configure your identity provider.
- JIT settings aren't supported with the Custom IdP factor.
You must add an identity provider as described in Step 1 before you can enable the Custom IdP factor.
- In the Admin Console, go to Security > Multifactor.
- Click IdP Factor.
- Click Edit.
- Click Add Custom Factor.
- Select an identity provider from the menu.
- Click Save.
- Set the custom factor status to Active to enable it for end users or Inactive to disable it.
Once the custom factor is active, go to Factor Enrollment and add the IdP factor to your org's MFA enrollment policy.
- After the admin has added and enabled the Custom IdP factor, the end user is prompted to set up custom factor authentication on their next sign in.
- Once the end user has successfully set up the Custom IdP factor, it will appear in their settings as a configured factor under Settings > Extra Verification.
- When an end user triggers the use of a factor, it times out after five minutes, after which they must trigger the use of the factor again.
Custom IdP factor authentication isn't supported for use with the following:
- Okta IWA web agent: The Custom IdP factor authentication can't be used with the Okta Integrated Windows Authentication agent (IWA) for Desktop Single Sign-on.
- Device Trust integrations that use the “Untrusted Allow with MFA” configuration will fail.
- Okta Mobile users will no longer have SWA app launch and password autofill or long-lived mobile app dashboard sessions. When the Custom IdP factor is enabled for your org by Okta Support, the web interface will appear in place of the app UI.
- MFA for RDP, MFA for ADFS, RADIUS logins, or other non-browser based sign-in flows don't support the Custom IdP factor.
- The Custom IdP factor doesn't support the use of Microsoft Azure Active Directory (AD) as an identity provider. To use Microsoft Azure AD as an identity provider, see Make Azure Active Directory an Identity Provider.