<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D51Y00006G6uAuSAJOkta Classic EngineSingle Sign-OnAnswered2026-04-01T09:00:20.000Z2019-05-16T20:14:18.000Z2019-12-06T14:33:44.000Z

JeffW.31511 (Customer) asked a question.

May 16, 2019 at 8:14 PM
Org2Org Attributes

I have configured a Org2Org configuration between two Okta preview environments. We will be will be enforcing MFA at the Spoke (IdP) but I am looking for a way that Okta can dynamically include in the SAML Assertion that the MFA process was successful thus preventing the by pass of MFA. As I integrate business partners with and without Okta this would be a great control to make sure they are doing the proper thing. Even better would be a token that the Hub (SP) could validate against the IdP. I would also need a method for the Hub (SP) to read and act on the information in the assertion.

  • 5 answers
  • 1.5K views

  • t529b (t529b)

    I agree with Gabriel. For something like this to work, there would have to be an Okta profile attribute that gets set every time you log in, to indicate if MFA was used, so it could be included in the SAML assertion to the other org.

     

    Your concern seems to be reporting on someone accessing the hub org without MFA, but that's a concern you need to address in the org where MFA is configured. When properly configured, bypassing MFA should not be possible.

     

    I'm just a customer like you, so I don't have any inside information, but some sort of notification may be possible in the future, as Okta expands the web hooks features.

    Expand Post
    Selected as Best

  • GabrielL.85945 (Customer)

    I'm not certain I'm understanding the exact flow you're looking to achieve, but I'm pretty sure what you described can't be done in Okta. I'm fairly confident there is no functionality to include whether an MFA challenge was successful in a SAML assertion with Okta.

  • qlmdz (qlmdz)

    Ok Maybe I will get some details and start and idea. Thanks

  • t529b (t529b)

    I agree with Gabriel. For something like this to work, there would have to be an Okta profile attribute that gets set every time you log in, to indicate if MFA was used, so it could be included in the SAML assertion to the other org.

     

    Your concern seems to be reporting on someone accessing the hub org without MFA, but that's a concern you need to address in the org where MFA is configured. When properly configured, bypassing MFA should not be possible.

     

    I'm just a customer like you, so I don't have any inside information, but some sort of notification may be possible in the future, as Okta expands the web hooks features.

    Expand Post
    Selected as Best

  • JeffW.31511 (Customer)

    What I am looking for the support in OKTA for SAML 2.0

    MobileOneFactorUnregistered

    MobileTwoFactorUnregistered

    MobileOneFactorContract

    MobileTwoFactorContract

  • JeffW.31511 (Customer)

    Add to above URI: urn:oasis:names:tc:SAML:2.0:ac:classes:M

This question is closed.
Loading
Org2Org Attributes