Custom IdP factor

This is an Early Access feature. To enable it, contact Okta Support.

Identity Provider (IdP) factor authentication allows admins to enable authentication with trusted OIDC or SAML Identity Providers as extra verification. When configured, the end user will see the option to use the trusted IdP for extra verification and will be redirected to the IdP for verification. This verification will replace authentication with another non-password factor, such as Okta Verify.

Once an IdP factor has been enabled and added to a factor enrollment policy, users who sign in to Okta may use it to verify their identity. End users are directed to the Identity Provider in order to authenticate and are then redirected to Okta once verification is successful.

With this feature you can:

  • Add a custom IdP factor for existing SAML or OIDC-based IdP authentication.
  • Enable or disable the custom factor from the Admin Console.
  • Link an existing SAML 2.0 IdP or OIDC IdP to use as the custom factor provider.

Before you begin

  • Admin access to Okta is required to enroll and configure the desired custom factor.
  • An existing Identity Provider must be available to use as the additional step up authentication provider.

SAML and OIDC claims

Okta expects the following claims for SAML and OIDC:

  • For the SAML response, the subjectNameId claim is mapped to the Okta username.
  • For the OIDC response, the preferred_username claim is mapped to the Okta username.

Custom IdP factor configuration

There are two primary steps to set up a custom IdP factor: 

  1. Add the IdP for MFA.
  2. Enable the IdP factor.

Step 1: Add an Identity Provider for MFA

  1. Refer to Identity Providers for more information on how to create a SAML Identity Provider for MFA. For this workflow, navigate to Identify Providers > Configure Inbound SAML > Workflow > Part 1 – Add a SAML Identity Provider.
  2. Create the IdP factor with IdP usage as Factor Only. Note that JIT settings are not supported, and IdPs that are set as SSO only can't be used for Custom IdP factor.
  3. Once configured, navigate to Security > Identity Providers from the Okta console to add the Identity Provider.

OpenID Connect

Step 2: Enable the custom IdP factor

  1. In the Admin Console, go to Security > Multifactor.
  2. Click IdP Factor to access custom factor setup for custom SAML factor or custom OIDC factor setup.
  3. Click Edit.
  4. Click Add Custom Factor to add a new custom factor.
  5. Select an Identity Provider from the menu. Note that the Identity Provider must be configured first before it can be selected.
  6. Click Save to save your configuration once an Identity Provider has been added.
  7. Set the custom factor status to Active to enable it for end users or Inactive to disable it.

Once the custom factor is active, go to Factor Enrollment and add the IdP factor to your org's MFA enrollment policy.

End-user experience

  • After the admin has added and enabled the custom factor, the end user is prompted to set up custom factor authentication on their next sign in.
  • Once the end user has successfully set up the factor, it will appear in their settings as a configured factor under Settings > Extra Verification.
  • When an end user triggers the use of a factor, it times out after five minutes, after which they must trigger the use of the factor it again.


Custom IdP factor authentication isn't supported for use with the following:

  • Okta IWA web agent: Custom IdP factor authentication can't be used with the Okta Integrated Windows Authentication agent (IWA) for Desktop Single Sign-on.
  • Device Trust integrations that use the “Untrusted Allow with MFA” configuration will fail.
  • Okta Mobile users will no longer have SWA app launch and password autofill or long-lived mobile app dashboard sessions. When Custom IDP is enabled for your org by Okta Support, the web interface will appear in place of the app UI.
  • MFA for RDP, MFA for ADFS, RADIUS logins, or other non-browser based login flows do not support Custom IDP factor.

Related topics

Identity Providers

Sign-on policies

Multifactor Authentication

General Security

Network Zones