JR.56041 (-) asked a question.
Handling MFA for external IDPs
Hi,
I have setup an OIDC app. The app has default OKTA uses with username + password, & it also has a sign on policy for an Azure AD IDP.
Both sets of users are associated to an MFA policy (email or SMS).
I have 2 questions:
1) Is there a way to have the external users submit their MFA via a "Self-Hosted" okta widget, or via API's? At the moment, users are challenged for the MFA whilst on the okta hosted widget at ...okta.com/.../callback.
2) When on the okta.com/../callback page, the "back to signin" button just loops back on itself . Is there a way to fix this?
At the moment the flow is:
- User goes to a page /signon-azure (server code redirects user with idp parameter)
- Browser redirects to Okta.com.../authorize/..
- Browser redirects to okta.com/sso/idps/...
- Browser redirects to microsoft.com
- Browser redirects back to okta.com/../callback
- Whilst browser is at okta.com/callback, user can new trigger the sms/email
- On success, user redirects back to local app/authorization-code/callback
Thanks,
Hello @JR.56041 (-) Thank you for reacting out to our Community!
For the first question:
Users can setup their MFA via during the login process, but you need to setup a MFA enrolment policy. Please keep in mind that email MFA is does automatically on user creation, this could be a reason why maybe your users are not promoted. However if you make both MFA required that should do the trick.
Please see doc for MFA policy:
https://help.okta.com/en-us/content/topics/security/policies/about-mfa-policies.htm
For the second question, please see a similar one on our Dev forum:
https://devforum.okta.com/t/authorize-or-login-callback-endless-loop/22683
Community members help others by clicking Like or Select as Best on responses. Try it today.
Follow us at OktaSupport