<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z0000A8xjKGCQYOkta Classic EngineMulti-Factor AuthenticationAnswered2026-02-17T09:00:23.000Z2024-05-20T16:24:45.000Z2024-05-24T21:33:06.000Z

DavidM.02996 (Customer) asked a question.

May 20, 2024 at 4:24 PM
Authentication Policy "Allow Specific Authentication Methods" missing methods

We're trying to write an authentication policy with a rule that restricts which methods can be used for Authentication Methods.

 

There's an option to "Allow Specific Authentication Methods" however the list is missing some of our possession factors.

 

I've configured two IdP's as factor-only and when I choose "Allow Specific Authentication Methods" only one of those IdP's shows up in the list. Nevertheless, the box below this that shows "Your org's authenticators that satisfy this requirement" it lists both IdP. I am trying to write the authentication policy so that it uses one (and only one) of those IdPs to satisfy the second factor for authentication. Is this possible?

  • 3 answers
  • 409 views
u4fzi likes this.

  • nfmez (nfmez)

    Hello @DavidM.02996 (Customer)​ Thank you for posting on our Community page!

     

    If you use the option "Allow specific authentication methods" then only the methods selected will be used for Authentication, as per our doc :

    "Allow specific authentication methods: Select methods to allow them to be used in authentication. When this option is selected, all available methods are disallowed unless added to the allow list."

    https://help.okta.com/oie/en-us/content/topics/identity-engine/policies/add-app-sign-on-policy-rule.htm

     

    Thank you for reaching out to our Community and have a great day!

    --

    Join the discussion for the Ask Me Anything online event on May 23, 2024 with Okta Tactical Edge Product Experts

    Expand Post

  • DavidM.02996 (Customer)

    Hey Paul - thanks for the reply. "Allow specific authentication methods" only seems to restrict to types of authentication methods and not specific Authenticators. You can see this in three ways:

     

    1. When we try to select the Authenticator for the IdP Factor, only one of them shows up even though both are configured as a factor separately
    2. Once you select one (and only one) of the IdP factors, the Authentication Policy summary "Factors that meet your organizations policy requirements shows both IdP factors as being usable.
    3. If you select one of the IdP factors and then use the API to retrieve the rule configuration you can see that it is only restricting to "external_idp" and nowhere does it actually specify which IdP.
    Expand Post

  • u4fzi (u4fzi)

    Wanted to chime in re: my experiencing the exact same thing (and apparently quite timely being only 3 days later). I just opened a support case attempting to figure another approach and/or workaround to the issue. *MY* challenge is we use Duo Security for MFA. Currently Okta app in Duo allows several factors we need for certain users but wish to disallow for others. My workaround attempt was to configure a 2nd Duo idP that tied back to a 2nd Okta app in Duo that was more restrictive w/ factors. Unfortunately the Okta Authentication Policy is not allowing me to restrict which of the two idPs are actually called. It keeps just using the 1st one. If anyone knows of a better way to approach this challenge I'd really appreciate if you shared it.

     

    Image is not available

    Expand Post
This question is closed.
Loading
Authentication Policy "Allow Specific Authentication Methods" missing methods