bam36 (bam36) asked a question.
Can we use OIE to trigger a stricter MFA/Auth to a subdomain of an existing application?
If we have a SAML/OIDC secured application, let's say: www.intranet.com
To access users need to auth with low/medium assurance (or have already done so and have a valid okta session).
What we're looking at doing is maybe requiring another authenticator and/or a different authentication policy for a highly sensitive page like: www.intranet.com/paycheck.
Can the same app have 2 levels of authentication set on it?
I meant to say subdomain OR a specific URL under the top level domain.
Hi @bam36 (bam36) , Thank you for reaching out to the Okta Community!
This is not currently supported. You can however suggest this as a Feature Enhancement on the Okta Community page by going to the Community→ Ideas tab. Features suggested in our community are reviewed and can be voted and commented on by other members. High popularity will increase the likelihood of it being picked up by the Product Team and it being implemented.
More details here:
https://support.okta.com/help/s/blog/a674z000001cj7YAAQ/okta-ideas-faq
If my answers helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you.
Hope my answer helps!
--------------------------------
Community members help others by clicking Like or Select as Best on responses. Try it today.
There's a couple of challenges here. Usually when you have logged in, and navigate to a subdomain Okta won't see it. It's not a reverse proxy that sees all of the traffic to the service so you will always have to manually trigger the step up authentication.
If you own the application though, you could build this into the subdomain by having two OIDC clients in Okta. Standard SSO to the base domain with OIDC Client 1. Accessing the subdomain automatically triggers and OIDC authentication request to OIDC Client 2 in Okta, which has a mandatory requirement for a second factor to OIDC Client 1.