Pass Device Context using Limited Access

Limited Access allows you to configure Okta to pass device context to certain SAML applications through the SAML assertion exchanged during authentication. The applications can then use that information to limit access to certain app-specific behaviors, such as permissions to edit the application or to download files from the application.

If your org uses Identity Engine, see this topic.

This feature works with:

  • Windows, macOS, iOS, and Android devices
  • Custom and OIN SAML app integrations able to consume the device context attribute

Prerequisites

In the Okta Admin Console

  • Enable Device Trust in the Okta Admin Console (SecurityDevice Trust)
  • Configure a Device Trust sign-on policy for the app integration (the Sign On tab of the app)

For details, see the Device Trust document appropriate for your implementation.

In the external application

Configure the external application to consume the device context received in the SAML assertion and specify the behaviors you want to control based on that context.

Supported attribute values

When this feature is configured, Okta passes one of the following attribute values to the external application in the SAML assertion, according to the Attribute Statement and app integration sign-on policy you have configured in Okta.

Attribute Value

Definition

TRUSTED The user's device is trusted, as defined by the Okta app integration sign-on policy
NOT_TRUSTED The user's device is untrusted, as defined by the Okta app integration sign-on policy
UNKNOWN The device context is unknown because one or both of the following is true:
  • Device Trust is not enabled for the given device type (SecurityDevice Trust)
  • Device Trust is not configured in the app integration sign-on policy (the Sign On Policy section of the Sign On tab of the app)
  • The Attribute Value passed to the external application is enforced for the duration of the session.
  • You can use Okta Expression Language to map Okta terminology to ISV-specific terminology.

Procedure

  1. Complete the Prerequisites.
  2. If you haven't done so already, create a custom app integration or add an OIN app integration through the Okta Admin Console.
  3. Add an Attribute Statement to the app integration (for more details, see Define group attribute statements):

    You can add the statement while creating a new app integration or edit an existing app integration.

    For a new app integration:

    In Step 2: Configure SAML, scroll to the section Attribute Statements (Optional).

    For an existing app integration:

    This procedure varies depending on whether you are editing a custom app integration or an OIN app integration.

    If editing a custom app integration:

    1. In the Admin Console, go to ApplicationsApplications.
    2. Click the custom SAML app.
    3. Go to the General tab, scroll to the section SAML Settings, and then click Edit.
    4. Click Next.
    5. Scroll to the section Attribute Statements (Optional).

    If editing an OIN app integration:

    1. In the Admin Console, go to ApplicationsApplications.
    2. Click the OIN SAML app integration.
    3. Go to the Sign On tab, then click Edit.
    4. Scroll to the section Attribute Statements (Optional).
  4. In Name, enter a name for the attribute you want to add.

    The maximum length for this field is 512 characters. The Name attribute must be unique across all of the user and group attribute statements.

  5. In Name format, select Unspecified.
  6. In Value, select device.trusted.

    The maximum length for this field is 1024 characters.

    You can use the Okta Expression Language to transform the value as needed for your use case.

    For example, to map Okta terms for a trusted device context to relevant Salesforce terms, you would enter this statement in the Value field:

    device.trusted == "TRUSTED" ? "HIGH ASSURANCE" : "STANDARD"

    The above statement transforms terms as follows:

    Okta device context attribute

    Salesforce term

    TRUSTEDHIGH ASSURANCE
    NOT_TRUSTEDSTANDARD
    UNKNOWNSTANDARD
  7. To add an additional statement row, click Add Another. Repeat until all necessary attributes are defined.
  8. Click Next.
  9. Click Finish when done.

Attribute Statement details

Here is an Attribute Statement sent to an external application through the SAML Assertion that shows the device context of an untrusted device:

<?xml version="1.0"?> <saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> <saml2:Attribute Name="DeviceTrustSignal" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"> NOT_TRUSTED </saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement>

Related topics

Okta Device Trust solutions

Create SAML app integrations

Add existing app integrations

Create custom app integrations

Okta Expression Language