Custom Factor Authentication

This is a Beta feature. To see about participating in this Beta program, please refer to the Beta Programs page.


This feature allows admins to configure and enable a custom factor in addition to existing factors supported by Okta. End usersIn Okta literature, we generally refer to "end users" as the people who have their own Okta home page (My Applications), using chiclets to authenticate into all of their apps. End users do not have any administrative control. When we refer to "users" we are generally referring to the individual(s) who have administrative control. can sign in and authenticate using custom factors that have been enabled by an adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. once added to the orgThe Okta container that represents a real-world organization. sign on policy.

After configuring a custom factor, users that sign in to Okta will be required for authenticate with additional verification. If a custom SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IDP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on a chiclet, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated. or OpenID Connect (OIDCOpenID Connect (OIDC) is an authentication layer on top of OAuth 2.0, an authorization framework. The standard is controlled by the OpenID) factor is selected, the user is directed to the configured MFA provider to authenticate. Once the user is verified, they are redirected to Okta.


User Roles

User Role User Impact
Okta Admin
  • Add a custom factor such as SAML or OIDC for authentication
  • Enable or disable the custom factor from the admin dashboard
  • Create, manage, and edit a custom factor from the list of available factors
  • Link an existing SAML 2.0 or OIDC Identity Provider to use as the custom factor provider
  • End User
  • View a list of available factors, which includes custom factors
  • Use the custom factor for step up authentication when the factor is enabled

  • Prerequisites

    • Your Okta preview tenant must have the beta feature flag enabled: CUSTOM_FACTOR.

      • Note: You will be informed via email once the feature flag has been enabled on your preview account.

    • Admin access to Okta to enroll and configure the desired custom factor
    • An existing Identity Provider must be available to use as the additional step up authentication provider. Refer to the next section for more information on adding an identity provider.

    Add an Identity Provider

    Enable the Custom Factor

    1. From the admin dashboard, navigate to Security > Multifactor.
    2. Click Custom Factor to access custom factor setup.
    3. Click Add Custom Factor to add a new custom factor.
    4. Select a Identity Provider from the menu. Note that the Identity Provider must be configured first before it can be selected.

    5. Click Save to save your configuration once ad Identity Provider has been added.
    6. Set the custom factor status to Active to enable it for end users or Inactive to disable it.

    End User Result

    • After the admin has added and enabled the custom factor, the end user is prompted to set up custom factor authentication on their next sign in.
    • Once the end user has successfully set up the factor, it will appear in their settings as a configured factor under Settings > Extra Verification.