i7jj8 (i7jj8) asked a question.
Hello!
I have a SAML application and basic AUTH using policies in OKTA works well. I was able to authenticate via SAML by configuring rules in OKTA App and was successfully pass flow with MFA and just password.
I need to have a way for step up auth via SAML (custom scenarios that requires MFA) by using requiredAuthContext. I see that this can be achieved using OIDC and acr_values, but is there an ability to realise this by passing requiredAuthContext in request to IdP?
Also I saw a comment that on the moment year 2017 there were no option to understand in SAML response about method that was used for Auth (was it password or MFA). Was that realised after that moment or maybe there are some plans to extend functionality with SAML integrations?
Thanks in advance.
Hi, @i7jj8 (i7jj8)
Thank you for posting on our Community page!
This article explains the way in which Okta can help in this matter:
https://developer.okta.com/blog/2023/03/08/step-up-auth
In short,
Okta Customer Identity Cloud (CIC)
Okta CIC comes with a flexible and extensible authentication engine, which can easily inspect acr_values in the authentication request and initiate step-up authentication.
CIC recommends using the acr_values as defined in this OIDC spec. For example, http://schemas.openid.net/pape/policies/2007/06/multi-factor.
CIC can be configured to provide step-up authentication for both web applications and API
Okta Workforce Identity Cloud (WIC)
WIC Authorization server has inbuilt support for step-up authentication.
Currently, WIC supports a pre-defined list of acr_values.
The non-okta-specific defined values such as phr and phrh are taken from this OIDC spec.
This guide explains the capability in more detail.
Thank you for reaching out to our Community and have a great day!
Subscribe Today: The Okta Community is on YouTube
_____________________________________________________________________________
Community members help others by clicking Like or Select as Best on responses. Try it today.
_____________________________________________________________________________