<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z00009uTbUCCA0Okta Classic EngineAdministrationAnswered2025-01-19T09:00:52.000Z2023-12-16T08:26:49.000Z2023-12-18T17:59:38.000Z

iwoz0 (iwoz0) asked a question.

December 16, 2023 at 8:26 AM
Authenticator Enrollment Rule does not show the option to choose specific application

Hi All, I'm trying to configure an auth flow that involves GSuite, Okta (Identity Engine) and Workspace One. I need to give access to GSuite only to the users who are enrolled in Workspace One. GSuite is configured to use Okta as its IDP and in turn I have WS1 Access IDP added in Okta so that the auth redirects there. The auth redirect works but I'm unable to figure out how to enforce rules in Okta such that the user gets redirected to a WS1 enrollment page if the device from where he's accessing the app, is not enrolled. I am trying to configure the authenticator enrollment rules to use just the WS1 IDP (added as a SAML authenticator) and restrict it to an app. I have seen the screenshots in the documentation but I do not see the option to restrict to a specific app at all. I'm not sure what I'm missing here. Has anyone configured something similar and can provide guidance? Thanks.

  • 1 answer
  • 366 views

  • Mihai N. (Okta, Inc.)

    Hi @iwoz0 (iwoz0)​ , Thank you for reaching out to the Okta Community! 

     

    Assuming I’ve understood your use case correctly, we’ll need to clarify that Authenticator (MFA) Enrollment policies are a separate flow from the authentication policies. As such, they would operate independently of each other based on certain conditions configured in their respective rules. 

    Once a user has the Authenticator enrolled, they could use it for login if the authentication policy requires MFA…. BUT if you have multiple Authenticators configured and enabled (for example Okta Verify, Yubikey, custom SAML IDP, etc.), the authentication policies do not restrict what authenticator is used. They would only ask the user to leverage some kind of MFA, presenting them with options to choose from. 

    For example let’s say you configure the authentication policy to use Password + Factor, See below screenshot: 

    Your 

     

     

    Instead of using Workforce One as an Authenticator (MFA), you could consider using it just as an IDP, but that would imply leveraging it for all authentication into Okta for the users managed via it. 

     

     

     

    If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you. 

     

    Hope my answer helps! 

    --------------------------------

    Earn Today: New Okta Community Badges Have Arrived

    Expand Post
This question is closed.
Loading
Authenticator Enrollment Rule does not show the option to choose specific application