This article will discuss how the Global Sign On and Authentication Policies should be configured when users log in to an OpenID Connect application using Direct Authentication to ensure they can complete authentication using the different options for Direct Authentication.
- OAuth/OpenID Connect application
- Direct Authentication
When completing a Direct Authentication flow where the OTP, Okta Verify Push, or Phone authenticator will be used as a primary factor, the Authentication Policies for user/app must not have Password/Identity Provider (IdP) required, as this flow is designed for passwordless authentication.
Conversely, if completing the Direct Authentication flow where the OTP, Okta Verify Push, or Phone authenticator will be used as a secondary factor, the Authentication Policies for user/app must have Password/IdP allowed as the user will need to authenticate with the Username and Password before they can be challenged for the secondary factor
For Direct Authentication, OTP/Okta Verify Push/Phone as Primary Factor
- Ensure Password is not required for the user in the Global Sign On Policy.
- Ensure Password is not required for the Authentication Policy assigned to the target OpenID Connect application.
For Direct Authentication, OTP/Okta Verify Push/Phone as Secondary Factor
- Ensure Password is allowed for the user in the Global Sign On Policy.
- Ensure Password is allowed for the Authentication Policy assigned to the target OpenID Connect application.
