<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z00008YhB1fCAFOkta Classic EngineAuthenticationAnswered2024-03-25T15:06:27.000Z2022-12-22T10:17:03.000Z2022-12-28T17:08:42.000Z

br0lq (br0lq) asked a question.

December 22, 2022 at 10:17 AM
OKTA LDAP and 2FA verification?

I'm connecting my own server application using LDAP protocol over LDAPS to verify user authentication against OKTA.

Currently its one step only, ie username and password/OTP, which works fine, using Bind

 

However, I've been asked to also support OKTA 2FA for a new onboarding customer

 

The customer has users with both OTP and 2FA.

The OTP users are not a problem at all, but the 2FA are as my application doesn't support OKTA 2FA yet.

 

My questions are:

1) How can I check if single factor password/OTP applies for a given account, or if 2FA applies for the given account?

2) How can I verify the 2FA when LDAP protocol is used? Or should I use another protocol like API?

 

Any reference to relevant documentation is highly appreciated.

  • 2 answers
  • 637 views

  • SteveS.00405 (GoCardless)

    That all depends on your Sign-on Policy really. You can have a Sign-on Policy which applies specifically when a user authenticates the LDAP Interface. You should have MFA as mandatory on the Sign-on Policy too.

     

    Then there is 2 ways a user can interact with LDAP for MFA.

     

    https://help.okta.com/en-us/Content/Topics/Directory/LDAP-interface-main.htm

    • password,123456 - put their Okta PW in, followed by a comma, then the TOTP code from Okta Verify.
    • password,push - put in Okta PW, then comma, type push for Okta Verify Push.

     

    The Read Only Admin account you should be using to connect your application to Okta LDAP Interface won't be able to authenticate with MFA, so you should have a Sign-on Policy only allow that account from your apps IP (in a Okta Network Zone) to authenticate with the LDAP Interface > then do a Catch All Deny rule afterwards on anything else.

     

    Expand Post
    Selected as Best

  • SteveS.00405 (GoCardless)

    That all depends on your Sign-on Policy really. You can have a Sign-on Policy which applies specifically when a user authenticates the LDAP Interface. You should have MFA as mandatory on the Sign-on Policy too.

     

    Then there is 2 ways a user can interact with LDAP for MFA.

     

    https://help.okta.com/en-us/Content/Topics/Directory/LDAP-interface-main.htm

    • password,123456 - put their Okta PW in, followed by a comma, then the TOTP code from Okta Verify.
    • password,push - put in Okta PW, then comma, type push for Okta Verify Push.

     

    The Read Only Admin account you should be using to connect your application to Okta LDAP Interface won't be able to authenticate with MFA, so you should have a Sign-on Policy only allow that account from your apps IP (in a Okta Network Zone) to authenticate with the LDAP Interface > then do a Catch All Deny rule afterwards on anything else.

     

    Expand Post
    Selected as Best

  • SteveS.00405 (GoCardless)

    Forgot to mention - whats better than using the LDAP Interface? either SAML or OIDC would be your best options, and should be your preferred option.

This question is closed.
Loading
OKTA LDAP and 2FA verification?