rnpcu (rnpcu) asked a question.
Sign on policy based on application privilege
I'm hoping to be able to apply MFA policy to an application based on admin privilege in that app. For instance, in Salesforce I'd like to be able to enforce MFA for any privileged users.
My first thought on this was to create a group rule so that anyone with a particular Salesforce profile value would be added to the group, and then to configure that group in the sign on policy. However, I found that group rules can only evaluate Okta attributes and not app profile attributes.
Has anyone tried this before and had any success? The alternative at the moment is to simply populate the group based on a list of current administrators, but I'd rather do this programmatically if possible. Thanks!
Did you try Okta expression language by using e.g $appuser.$attribute ? If the rule is still not firing then using Profile mappings can help.
Siva,
I did try using the appuser attribute variable expression, but it returned an error. I found in the rules documentation that only Okta user profile attributes can be used in group rules.
I next tried to map the Salesforce profile to an Okta user profile attribute, but couldn't get this to work. The error stated that the value could not be mapped to a string value. In the profile editor -> mappings panel the SalesForce profile attribute appeared to be of type "reference," even though the schema states that is of type "string."