This is an Early Access feature. To enable it, contact Okta Support.
Identity Provider (IdP) factor authentication allows admins to enable authentication with trusted OIDC or SAML Identity Providers as extra verification. When configured, the end user will see the option to use the trusted IdP for extra verification and will be redirected to the IdP for verification. This verification will replace authentication with another non-password
Once an IdP
With this feature you can:
Add a custom IdP
factorfor existing SAML or OIDC-based IdP authentication.
- Enable or disable the custom
factorfrom the Admin Console.
- Link an existing SAML 2.0 IdP or OIDC IdP to use as the custom
Before you begin
- Admin access to Okta is required to enroll and configure the desired custom
- An existing Identity Provider must be available to use as the additional step up authentication provider.
SAML and OIDC claims
Okta expects the following claims for SAML and OIDC:
- For the SAML response, the subjectNameId claim is mapped to the Okta username.
- For the OIDC response, the preferred_username claim is mapped to the Okta username.
There are two primary steps to set up a custom IdP
- Add the IdP for MFA.
- Enable the IdP
Step 1: Add an Identity Provider for MFA
- Refer to Identity Providers for more information on how to create a SAML Identity Provider for MFA. For this workflow, navigate to Identify Providers > Configure Inbound SAML > Workflow > Part 1 – Add a SAML Identity Provider.
- Create the IdP
factorwith IdP usage as Factor Only. Note that JIT settings are not supported, and IdPs that are set as SSO only can't be used for Custom IdP factor.
- Once configured, navigate to Security > Identity Providers from the Okta console to add the Identity Provider.
- Refer to Generic OpenID Connect for general information about OpenID Connect.
- Refer to Generic OpenID Connect Identity Providers on how to set up an OIDC Identity Provider.
- Once configured, go to Security > Identity Providers from the Okta console to the Identity Provider.
Step 2: Enable the custom IdP
- In the Admin Console, go to Security > Multifactor.
Click IdP Factor to access custom factor setup for custom SAML factor or custom OIDC factor setup.
Click Add Custom Factor to add a new custom factor.
- Select an Identity Provider from the menu. Note that the Identity Provider must be configured first before it can be selected.
- Click Save to save your configuration once an Identity Provider has been added.
Set the custom
factorstatus to Active to enable it for end users or Inactive to disable it.
Once the custom
- After the admin has added and enabled the custom
factor, the end user is prompted to set up custom factorauthentication on their next sign in.
- Once the end user has successfully set up the
factor, it will appear in their settings as a configured factorunder Settings > Extra Verification.
- When an end user triggers the use of
a factor, the factortimes out after five minutes, after which they must trigger the use of the factorit again.
Custom IdP factor authentication is not supported for use with the following:
- Okta IWA web agent: Custom IdP factor authentication can't be used with the Okta Integrated Windows Authentication agent (IWA) for Desktop Single Sign-on.
- Device Trust integrations that use the “Untrusted Allow with MFA” configuration will fail.
- Okta Mobile users will no longer have SWA app launch and password autofill or long-lived mobile app dashboard sessions. When Custom IDP is enabled for your org by Okta Support, the web interface will appear in place of the app UI.
- MFA for RDP, MFA for ADFS, RADIUS logins, or other non-browser based login flows do not support Custom IDP factor.
The Custom IdP
factordoesn't support the use of Microsoft Azure Active Directory (AD) as an identity provider. To use Microsoft Azure AD as an identity provider, see Make Azure Active Directory an identity provider.