Custom IdP factor

Early Access release

The Custom IdP factor allows admins to enable authentication with an OIDC or SAML Identity Provider (IdP) as extra verification. When configured, the end user sees the option to use the Identity Provider for extra verification and is redirected to that Identity Provider for verification. This verification replaces authentication with another non-password factor, such as Okta Verify.

Once a Custom IdP factor has been enabled and added to a multifactor authentication enrollment policy, users may use it to verify their identity when they sign in to Okta. End users are directed to the Identity Provider to authenticate and are then redirected to Okta once verification is successful.

This factor allows you to:

  • Add a Custom IdP factor for existing SAML or OIDC-based IdP authentication.
  • Link an existing SAML 2.0 IdP or OIDC IdP to use as the Custom IdP factor provider.

Before you begin

  • Admin access to Okta is required to enroll and configure the Custom IdP factor.
  • An existing Identity Provider must be available to use as the additional step-up authentication provider.

SAML and OIDC claims mapping

Okta expects the following claims for SAML and OIDC:

  • For the SAML response, the subjectNameId claim is mapped to the Okta username.
  • For the OIDC response, the preferred_username claim is mapped to the Okta username.

Configure a Custom IdP factor

There are two stages to configure a Custom IdP factor:

  1. Add an Identity Provider to Okta.
  2. Enable the IdP authenticator.

Step 1: Add Identity Providers to Okta

  1. In the Admin Console, go to SecurityIdentity Providers.

  2. Click Add Identity Provider and select the Identity Provider you want to add.
  3. Click Next. The Identity Provider's setup page appears.

  • Each Identity Provider page includes a link to the setup instructions for that Identity Provider. Okta recommends that you read these instructions to learn about how to configure your Identity Provider.
  • JIT settings aren't supported with the Custom IdP factor.

Step 2: Enable the custom IdP factor

Add an Identity Provider as described in step 1 before you can enable the Custom IdP factor.

  1. In the Admin Console, go to SecurityMultifactor.
  2. Click IdP Factor.
  3. Click Edit.
  4. Click Add Custom Factor.
  5. Select an Identity Provider from the menu.
  6. Click Save.
  7. Set the custom factor status to Active to enable it for end users or Inactive to disable it.

Once the custom factor is active, go to FactorEnrollment and add the IdP factor to your org's MFA enrollment policy.

End-user experience

  • Users are prompted to set up custom factor authentication on their next sign-in.
  • Once the end user has successfully set up the Custom IdP factor, it appears in SettingsExtra Verification.
  • When an end user triggers the use of a factor, it times out after five minutes. After this, they must trigger the use of the factor again.

Limitations

Custom IdP factor authentication isn't supported for use with the following:

  • Okta IWA web agent: The Custom IdP factor authentication can't be used with the Okta Integrated Windows Authentication agent (IWA) for Desktop Single Sign-on.
  • Device Trust integrations that use the “Untrusted Allow with MFA” configuration fails.
  • Okta Mobile users don't have SWA app launch and password autofill or long-lived mobile app dashboard sessions. When Okta Support enables the Custom IdP factor for your org, the web interface appears in place of the app UI.
  • MFA for RDP, MFA for ADFS, RADIUS logins, or other non-browser based sign-in flows don't support the Custom IdP factor.
  • The Custom IdP factor doesn't support the use of Microsoft Azure Active Directory (AD) as an Identity Provider. To use Microsoft Azure AD as an Identity Provider, see Make Azure Active Directory an Identity Provider.

Related topics

Identity Providers

Sign-on policies

Multifactor Authentication

General Security

Network zones