This Early AccessEarly Access (EA) features are opt-in features that you can try out in your org by asking Okta Support to enable them. Additionally, the Features page in the Okta Admin Console (Settings > Features) allows Super Admins to enable and disable some EA features themselves. feature can be enabled from the Early Access Feature Manager. See Manage Early Access and Beta features for more details.
- Factor Sequencing supports Okta Push and other factors as the primary method of authentication.
- This feature is supported on Okta Mobile only if password is set as the first factor.
- To configure and activate your factors of choice, navigate to Security > Multifactor > Factor Types from the AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. Console.
There are two steps to set up Factor Sequencing successfully:
- At Okta sign in, the end user is prompted to enter their ID to sign in.
- After entering their ID and clicking Next, the end user must authenticate with one or more factors that have been configured by their admin as part of the sign on policy.
- The end user can also select other factors in the sequence to authenticate via the factors listed in the drop-down menu.
Before you begin
Note the following limitations before configuring Factor Sequencing:
- SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IdP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on an app, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated.-based MFA or Identity Providers cannot be used as part of the Factor Sequencing chain.
- Factor Sequencing chains cannot be specified for application sign-on policies.
- A user must be enrolled in the first factor in the factor sequence to be sign in successfully. If they have not enrolled in the first factor of the sequence, they will be unable to sign in.
- If the sign-on policy has multiple factor chains, the user must be enrolled in the first factor from at least one factor chain.
Set enrollment policies for MFA factors
- From the Admin Console, navigate to Security > Multifactor > Factor Enrollment to set the enrollment policies for the factors you have already activated for your users.
- Verify that the factors in at least one factor chain is marked as Required for enrollment. For example, by defining the following two factor sequences in your sign on policy:
(a) SMS and Okta Verify
(b) Okta Verify and Security Questions
Your end usersEnd users are people in your org without administrative control. They can authenticate into apps from the icons on their My Applications home page, but they are provisioned, deprovisioned, assigned, and managed by admins. are required to enroll in the sequenced factors (a) or (b) for successful authentication to take place.
Define Okta sign-on policies
- From the Admin Console, navigate to Security > AuthenticationAuthentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual. Authentication methods and protocols include direct auth, delegated auth, SAML, SWA, WS-Fed, and OpenID Connect. > Sign On.
- Select an existing rule or create a new rule for end users.
- After selecting your rule criteria, scroll down to Authentication to define your factor sequences.
Once your changes are saved, authentication with factor sequencing will be made available to end users immediately.
Example of Factor Sequencing in the admin console when defining a policy rule for MFA enrollment: