Pass Dynamic Authentication Context to SAML Apps
You can pass Dynamic Authentication Context to your SAMLSecurity Assertion Markup Language. An XML-based standard for exchanging authentication and authorization data between an identity provider and a service provider. apps through the SAML assertion during application authentication. The app can then use the information to limit access to certain app-specific behaviors and calculate the risk profile for the logged in user.
The feature works with both custom and OINOkta Integration Network. An on-demand service comprised of thousands of pre-integrated business and consumer applications. SAML applications. It is exposed via an Okta Expression Language claim and can be configured as a custom SAML attribute. Depending on the number of factors used during authentication, the attribute can generate a single- or multi-value in the assertion (see Assertion examples).
Developers can also use the Okta Apps API to configure the custom attribute. The process of passing authentication contexts is similar to using claims containing authentication method references (amr
) in OIDC Apps.
Enable Dynamic Authentication Method References
- If you have not done so already, create a custom app or add an OIN app through the Okta Admin Console.
- For creating custom SAML apps, see Create a SAML integration using AIW.
- For adding OIN apps, see Add applications. Your app must support SAML.
- Add an Attribute Statement to the app (for more details, see Define Attribute Statements):
You can add the statement while creating a new app or as an edit to an existing app.
- In the Okta Admin Console, go to Applications > Applications.
- Click the custom SAML app.
- Go to the General tab, scroll to the section SAML Settings, and then click Edit.
- Click Next.
- Scroll to the section Attribute Statements (Optional).
- Continue to Step 4 below.
- In the Okta Admin Console, go to Applications > Applications.
- Click the OIN SAML app.
- Go to the Sign On tab, scroll to the section Attribute Statements (Optional), and then click Edit.
-
Continue to Step 4 below.
- In Name, enter a name for the attribute you want to add.
- In Name format, select Unspecified.
When creating the app:
In Step 2: Configure SAML, scroll to the section Attribute Statements (Optional).
– or –
To edit an existing app:
The procedure varies depending on whether you are editing a custom app or an OIN app.
If editing a custom app
If editing an OIN app
The maximum length for this field is 512 characters. The Name attribute must be unique across all of the user and group attribute statements.
- In Value, enter session.amr.
- Click Next.
- Click Finish when done.
Assertion examples
The following assertion excerpts show examples of single-value versus multi-value authentication-context attributes for the amr
attribute statement.
When just a password is used:
<saml:Attribute Name="amr" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml:AttributeValue xsi:type="xs:string">pwd</saml:AttributeValue
</saml:Attribute>
When a password is used with Okta Verify as a second factor:
<saml:Attribute Name="amr" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml:AttributeValue xsi:type="xs:string">pwd</saml:AttributeValue>
<saml:AttributeValue xsi:type="xs:string">mfa</saml:AttributeValue>
<saml:AttributeValue xsi:type="xs:string">swk</saml:AttributeValue>
</saml:Attribute>

Note
Currently, only Dynamic SAML Authentication Context and Smart card are supported for primary IdP authentication. For example, if you use a Federated Identity provider to login to your application and Dynamic SAML, the assertion will contain only pwd as a default value. Similarly, if you use Smart card, the assertion would contain only sc as a default value.
See also
Create a SAML integration using AIW