This is an Early Access feature. To enable it, contact Okta Support.
Once an IdP
With this feature you can:
Add a custom IdP
factorfor existing SAML or OIDC-based IdP authentication.
- Enable or disable the custom
factorfrom the Admin Console.
- Link an existing SAML 2.0 IdP or OIDC IdP to use as the custom
Before you begin
- Admin access to Okta is required to enroll and configure the desired custom
- An existing Identity Provider must be available to use as the additional step up authentication provider.
SAML and OIDC claims
Okta expects the following claims for SAML and OIDC:
- For the SAML response, the
subjectNameIdclaim is mapped to the Okta username.
- For the OIDC response, the
preferred_usernameclaim is mapped to the Okta username.
There are two primary steps to set up a custom IdP
- Add the IdP for MFA
- Enable the IdP
Step 1: Add an Identity Provider for MFA
- Refer to Identity Providers for more information how to create a SAML Identity Provider for MFA. For this workflow, navigate to Identify Providers > Configure Inbound SAML > Workflow > Part 1 – Add a SAML Identity Provider.
- Create the IdP
factorwith IdP usage as FactorOnly. Note that JIT settings are not supported.
- Once configured, navigate to Security > Identity Providers from the Okta console to add the Identity Provider.
- OpenID Connect
- Refer to Generic OpenID Connect for general information about OpenID Connect.
- Refer to Generic OpenID Connect Identity Providers on how to set up an OIDC Identity Provider.
- Once configured, go to Security > Identity Providers from the Okta console to the Identity Provider.
Step 2: Enable the custom IdP
- In the Admin Console, go to Security >
Click IdP Factor to access custom factor setup for custom SAML factor or custom OIDC factor setup.
Click Add Custom Factor to add a new custom factor.
- Select an Identity Provider from the menu. Note that the Identity Provider must be configured first before it can be selected.
- Click Save to save your configuration once an Identity Provider has been added.
Set the custom
factorstatus to Active to enable it for end users or Inactive to disable it.
Once the custom
- After the admin has added and enabled the custom
factor, the end user is prompted to set up custom factorauthentication on their next sign in.
- Once the end user has successfully set up the
factor, it will appear in their settings as a configured factorunder Settings > Extra Verification.
- When an end user triggers the use of
a factor, the factortimes out after five minutes, after which they must trigger the use of the factorit again.
Custom IdP factor authentication is not supported for use with the following:
- Okta Mobile: When Custom IdP factor authentication is enabled for an org, Okta Mobile doesn't prompt users for PIN setup and the web interface appears in place of the app UI. Users can't launch applications from Okta Mobile by tapping them.
- Okta IWA web agent: Custom IdP factor authentication can't be used with the Okta IWA agent for single sign-on (SSO).
- Device Trust: Custom IdP factor authentication fails when used with Device Trust.