Identity Provider (IdP) factor authentication allows admins to enable authentication with trusted OIDC or SAML Identity Providers as extra verification. When configured, the end user will see the option to use the trusted IdP for extra verification and will be redirected to the IdP for verification. This verification will replace authentication with another non-password authenticator, such as Okta Verify.
Once an IdP authenticator has been enabled and added to an MFA enrollment policy, users who sign in to Okta may use it to verify their identity. End users are directed to the Identity Provider in order to authenticate and are then redirected to Okta once verification is successful.
With this feature you can:
- Add a custom IdP authenticator for existing SAML or OIDC-based IdP authentication.
- Enable or disable the custom authenticator from the Admin Console.
- Link an existing SAML 2.0 IdP or OIDC IdP to use as the custom authenticator provider.
Before you begin
- Admin access to Okta is required to enroll and configure the desired custom authenticator.
- An existing Identity Provider must be available to use as the additional step up authentication provider.
SAML and OIDC claims
Okta expects the following claims for SAML and OIDC:
- For the SAML response, the subjectNameId claim is mapped to the Okta username.
- For the OIDC response, the preferred_username claim is mapped to the Okta username.
Custom IdP authenticator configuration
There are two primary steps to set up a custom IdP authenticator:
- Add the IdP for MFA.
Enable the IdP authenticator.
Step 1: Add an Identity Provider for MFA
- Refer to Identity Providers for more information on how to create a SAML Identity Provider for MFA. For this workflow, navigate to Identify Providers > Configure Inbound SAML > Workflow > Part 1 – Add a SAML Identity Provider.
Create the IdP authenticator with IdP usage as Factor Only. Note that JIT settings are not supported, and IdPs that are set as SSO only can't be used for Custom IdP authenticator.
- Once configured, navigate to Security > Identity Providers from the Okta console to add the Identity Provider.
- Refer to Generic OpenID Connect for general information about OpenID Connect.
- Refer to Generic OpenID Connect Identity Providers on how to set up an OIDC Identity Provider.
- Once configured, go to Security > Identity Providers from the Okta console to the Identity Provider.
Step 2: Enable the custom IdP authenticator
- In the Admin Console, go to Security > Authenticators.
Click Add Authenticator.
Under Custom IdP, click Add.
- Select an Identity Provider from the menu. Note that the Identity Provider must be configured first before it can be selected.
- Click Save to save your configuration once an Identity Provider has been added.
Set the custom authenticator status to Active to enable it for end users or Inactive to disable it.
- After the admin has added and enabled the custom authenticator, the end user is prompted to set up custom authenticator authentication on their next sign in.
- Once the end user has successfully set up the authenticator, it will appear in their settings as a configured authenticator under Settings > Extra Verification.
- When an end user triggers the use of an authenticator, it times out after five minutes, after which they must trigger the use of the authenticator it again.
The Custom IdP authenticator doesn't support the use of Microsoft Azure Active Directory (AD) as an identity provider.To use Microsoft Azure AD as an identity provider, see Make Azure Active Directory an identity provider.