Custom IdP Factor Authentication
This is an Early AccessEarly Access (EA) features are opt-in features that you can try out in your org by asking Okta Support to enable them. Additionally, the Features page in the Okta Admin Console (Settings > Features) allows Super Admins to enable and disable some EA features themselves. feature. To enable it, please contact Okta Support.
In this topic
- End-user experience
- Before you begin
- Add an Identity Provider
- Enable the custom IdP factor
- Related links
Once an IdP factor has been enabled and added to a factor enrollment policy, users who sign in to Okta may use it to verify their identity at sign in. End usersIn Okta literature, we generally refer to "end users" as the people who have their own Okta home page (My Applications), using chiclets to authenticate into all of their apps. End users do not have any administrative control. When we refer to "users" we are generally referring to the individual(s) who have administrative control. are directed to the Identity Provider in order to authenticate and then redirected to Okta once verification is successful.
With this feature you can:
- Add a custom IdP factor for existing IdP authentication.
- Enable or disable the custom factor from the adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. console.
- Link an existing SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IDP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on a chiclet, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated. 2.0 Identity Provider to use as the custom factor provider.
- After the admin has added and enabled the custom factor, the end user is prompted to set up custom factor authentication on their next sign in.
- Once the end user has successfully set up the factor, it will appear in their settings as a configured factor under Settings > Extra Verification.
Before you begin
- Admin access to Okta is required to enroll and configure the desired custom factor.
- An existing Identity Provider must be available to use as the additional step up authentication provider.
- Refer to Step 1 - Add an Identity Provider in this topic for more information on adding an Identity Provider.
Step 1 - Add an Identity Provider
- Refer to Identity Providers for more information how to create a SAML Identity Provider for MFA. The workflow is located under: Identify Providers > Configure Inbound SAMLWhen Okta is used as a service provider, it integrates with an identity provider outside of Okta using SAML. Inbound SAML allows users from external identity providers to SSO into Okta. > Workflow > Part 1 – Add a SAML Identity Provider.
Create the IdP factor with IdP usage as FactorOnly. Note that JIT settings are not supported.
- Once configured, navigate to Security > Identity Providers from the Okta console to add the Identity Provider.
Step 2 - Enable the custom IdP factor
- From the admin dashboard, navigate to Security > Multifactor.
- Click IdP Factor to access custom factor setup for custom SAML factor setup.
- Click Edit.
- Click Add Custom Factor to add a new custom factor.
Select an Identity Provider from the menu. Note that the Identity Provider must be configured first before it can be selected.
- Click Save to save your configuration once an Identity Provider has been added.
- Set the custom factor status to Active to enable it for end users or Inactive to disable it.
Once the custom factor is active, navigate to Factor Enrollment and add the IdP factor to your orgThe Okta container that represents a real-world organization.'s factor enrollment policy.