Pass Device Context to SAML apps using Limited Access
Limited Access allows you configure Okta to pass device context to certain SAML apps through the SAML assertion during app authentication. The app can then use that information to limit access to certain app-specific behaviors, such as user permissions to edit the app or download files from the app.
This feature works with:
- Windows, macOS, iOS, and Android devices
- Custom and OIN SAML apps able to consume the device context attribute
Prerequisites
In the Okta Admin Console
- Enable Device Trust in the Okta Admin Console (Security > Device Trust)
- Configure a Device Trust sign on policy for the app (Applications > app > Sign On tab)
For details, see the Device Trust document appropriate for your implementation.
In the 3rd-party app
Configure the app to consume the device context received in the SAML assertion and specify the app behaviors you want to control based on the context.
Supported attribute values
When this feature is configured, Okta passes one of the following attribute values to the app in the SAML assertion according to the Attribute Statement and app sign on policy you configure in Okta.
Attribute Value |
Definition |
---|---|
TRUSTED | User’s device is trusted as defined by the Okta app sign-on policy |
NOT_TRUSTED | User’s device is untrusted as defined by the Okta app sign-on policy |
UNKNOWN |
The device context is unknown because one or both of the following is true:
|

Notes
- The Attribute Value passed to the app is enforced for the duration of the session.
- You can enter Expression Language to map Okta terminology to ISV-specific terminology.
Procedure
- Complete the Prerequisites.
- If you have not done so already, create a custom app or add an OIN app through the Okta Admin Console.
- For creating custom SAML apps, see Create a SAML integration using AIW.
- For adding OIN apps, see Add applications. Your app must support SAML.
- Add an Attribute Statement to the app (for more details, see Define Attribute Statements):
You can add the statement while creating a new app or as an edit to an existing app.
- In the Okta Admin Console, go to Applications > Applications.
- Click the custom SAML app.
- Go to the General tab, scroll to the section SAML Settings, and then click Edit.
- Click Next.
- Scroll to the section Attribute Statements (Optional).
- Continue to Step 4 below.
- In the Okta Admin Console, go to Applications > Applications.
- Click the OIN SAML app.
- Go to the Sign On tab, scroll to the section Attribute Statements (Optional), and then click Edit.
-
Continue to Step 4 below.
- In Name, enter a name for the attribute you want to add.
- In Name format, select Unspecified.
When creating the app:
In Step 2: Configure SAML, scroll to the section Attribute Statements (Optional).
– or –
To edit an existing app:
The procedure varies depending on whether you are editing a custom app or an OIN app.
If editing a custom app
If editing an OIN app
The maximum length for this field is 512 characters. The Name attribute must be unique across all of the user and group attribute statements.
- In Value, select device.trusted.
- To add an additional statement row, click Add Another. Repeat until all necessary attributes are defined.
- Click Next.
- Click Finish when done.
The maximum length for this field is 1024 characters.
You can use the Okta Expression Language to transform the value as needed for your use case.
For example, to map Okta terms for a trusted device context to relevant Salesforce terms, you would enter this statement in the Value field:
device.trusted == "TRUSTED" ? "HIGH ASSURANCE" : "STANDARD"
The above statement transforms terms as follows:
Okta device context attribute |
Salesforce term |
---|---|
TRUSTED |
HIGH ASSURANCE |
NOT_TRUSTED |
STANDARD |
UNKNOWN | STANDARD |
Attribute Statement details
Here is an Attribute Statement sent to an app through the SAML Assertion showing the device context of an untrusted device:
<?xml version="1.0"?>
<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Attribute Name="DeviceTrustSignal" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">NOT_TRUSTED </saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
Related topics
Create a SAML integration using AIW