Pass Device Context using Limited Access in Okta Identity Engine

Early Access release

Limited Access allows you to configure Okta to pass device context to certain SAML apps through the SAML assertion that's exchanged during authentication. The apps can then use that information to limit access to certain app-specific behaviors, such as permissions to edit or download files from the app.

If your org uses Classic Engine, see this topic.

This feature works with Windows, macOS, iOS, and Android devices. Custom and OIN SAML app integrations are able to consume the device context attribute to allow or block access based on your configurations.

Orgs that have migrated from Okta Classic Engine to Okta Identity Engine need to manually reconfigure the Expression Language to ensure the outcome is correct. See Okta Expression Language overview.

Before you begin

In the Admin Console, go to Settings Features and enable Send device context through SAML applications.
Go to SecurityDevice Integrations and ensure that device management attestation is enabled. See Management attestation for desktop devices and Management attestation for mobile devices.
Configure an authentication policy with device management enabled. See Add an authentication policy rule for desktop and Add an authentication policy rule for mobile.
Configure the external application to consume the device context received in the SAML assertion and specify the behaviors you want to control based on that context.

For more information, see Managed devices and select the appropriate topic for your org.

Supported attribute values

When this feature is configured, Okta passes one of the following attribute values to the external application in the SAML assertion, according to the Attribute Statement and authentication policy you've configured in Okta.

Attribute Value	Definition
true	The user's device is Managed as defined by the Okta authentication policy.
false	The user's device isn't Managed, as defined by the Okta authentication policy.
null	The device context is unknown because one or both of the following are true: Device management attestation isn't enabled for the given device type. Device management attestation isn't configured in the authentication policy.

The Attribute Value passed to the external application is enforced for the duration of the session.

Use Okta Expression Language to map Okta terminology to vendor-specific terminology.

Add an attribute statement

If you haven't done so already, create a custom app integration or add an OIN app integration through the Admin Console.
- To create a custom SAML app integration, see Create SAML app integrations.
- To add an OIN app integration, see Add existing app integrations. Your external application must support SAML.
Add an Attribute Statement to the app integration. For more details, see Create SAML app integrations. You can add the statement while creating an app integration, or editing an existing app integration.

Attribute statements

This process varies depending on the app integration that you're creating or editing.

Edit a custom app integration

In the Admin Dashboard, go to Applications Applications.
Click the custom SAML app that you want to edit.
Click the General tab. Scroll to the SAML Settings section, and then click Edit.
Click Next.
Scroll to the Attribute Statements section.
In the Name field, enter a name for the attribute. The maximum length for this field is 512 characters, and the name attribute must be unique across all user and group attribute statements.
Select Unspecified as the Name format.
In the Value field, type device.profile.managed. Use Okta Expression Language to transform the value as needed for your use case. The maximum length for this field is 1024 characters.

Edit an OIN app integration

In the Admin Dashboard, go to ApplicationsApplications.
Click the OIN SAML app integration.
Click the Sign on tab, and then click Edit.
Scroll to the Attribute Statements section.
In the Name field, enter a name for the attribute. The maximum length for this field is 512 characters, and the name attribute must be unique across all user and group attribute statements.
Select Unspecified as the Name format.
In the Value field, select device.profile.managed. Use Okta Expression Language to transform the value as needed for your use case. The maximum length for this field is 1024 characters.

Transform the attribute value

You can use the Okta Expression Language to transform the value as needed for your use case. For example, to map Okta terms for a trusted device context to relevant Salesforce terms, enter this statement in the Value field:

device.profile.managed == true ? "HIGH ASSURANCE" : "STANDARD"

The above statement transforms terms as follows:

Okta device context attribute	Salesforce term
true	HIGH ASSURANCE
false	STANDARD
null	STANDARD

To add another statement row, click Add Another. Repeat until all necessary attributes are defined.

Save your changes by clicking Next, and then click Finish when you're done.

Attribute statement details

Here's an attribute statement sent to an external application through the SAML Assertion that shows the device context of an untrusted device:

Copy

<?xml version="1.0"?>
<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
  <saml2:Attribute Name="device.profile.managed" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
      false
    </saml2:AttributeValue>
  </saml2:Attribute>
</saml2:AttributeStatement>