<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base

Persona IDV Not Triggering for Self Service Password Reset Despite Configured Okta Account Management Policy

Last Updated:

Okta Identity Engine
Administration

Overview

Persona or other IDV not triggering as expected for Self Service Password Reset or Account Unlock, despite the Okta Account Management Policy being configured and working for Profile Updates.

Applies To

  • Okta Identity Engine (OIE)
  • Identity Verification (IDV)
  • Self-Service Password Reset (SSPR)
  • Account Management Policy (OAMP)
  • Persona IDV or Other IDV
  • Mixed Environment of Both Okta and Active Directory Users

Cause

The configured password policy does not meet the criteria required to trigger the IDV Account Management Policy. A misconfigured policy prevents Okta from applying IDV as expected during SSPR or account unlock actions.

Solution

To ensure Okta triggers the Identity Verification integration during Self-Service Password Reset and account unlock actions, configure the Okta Account Management Policy and the password policy as follows:

  1. Create an Okta Account Management Policy that allows access after successful IDV to the configured ID verification service.

Okta AMP for IDV 

  1. Configure the password policy for the correct credential type for the users, such as Okta or Active Directory.
    • Create a password policy for each user authentication provider type that requires IDV functionality. In a mixed environment, administrators might need to create multiple password policies to ensure at least one is scoped to the desired authentication providers.
      Password policy auth provider type
  2. The applicable Password policy must also include a Recovery Rule that allows the desired Self Service, and it is set to use the Account Management Authentication Policy for Access control.

Recovery enabled

NOTE:

    • Password expiration flows don't enforce the Okta Account Management Policy unless password expiry is enabled.
    • Administrator-initiated password reset flows do not enforce the Okta Account Management Policy. The user must select the link in the email, but Okta does not prompt them for additional factors.

 

If these OAMP policy configurations are correctly in place, and the Password Policy is also correctly configured as outlined above, users receive the IDV authentication experience on SSPR as expected:

IDV auth exp

 

Related References

Recommended content

Still looking for help?
Loading
Okta Support - Persona IDV Not Triggering for Self Service Password Reset Despite Configured Okta Account Management Policy