<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z0000AJDrUKCQ1Okta Classic EngineAPI Access ManagementAnswered2025-02-07T09:54:02.000Z2025-01-28T08:00:01.000Z2025-02-07T09:54:02.000Z

AdamM.90568 (Customer) asked a question.

Edited January 28, 2025 at 8:00 AM
Relation between Authenticators enrolled and User Factors in the API

Hello,

 

I've been working with Authenticators and User Factors API lately and feel a bit lost. So, in Okta I enabled bunch of authenticators and created a policy to enroll them to the group "Everyone", so actually to everyone in the organization:

 

/help/servlet/rtaImage?refid=0EM4z000008eUaoProblem is, I would expect to have all of these listed above in the response body of "/api/v1/users/{userId}/factors/catalog" as according to documentation it "lists all the supported factors that can be enrolled for the specified user". In opposition to what I expect I only get here some of them: Google and Okta token:software:totp. Where are the Password, Phone, Email and Security Question?

 

/help/servlet/rtaImage?refid=0EM4z000008eUatAre my expectations wrong? Am I mistaken when I think that the User Factors endpoints provide access to the authenticators enrolled to each user?

 

I also noticed that the response body in "/api/v1/users/{userId}/factors/catalog" differs depending on the Okta version, as in Identity Engine I get the response above, but in Classic Engine I get all factors enabled in the organization, just with "NOT_SETUP" statuses.

 

Thank you in advance!

 

  • 2 answers
  • 298 views

  • MatthewH.10249 (State of Iowa)

    I'm using OIE and I'm seeing similar behavior as you are. At first I thought that perhaps this was the difference between a factor that was set up for authentication vs recovery but that does not seem to be the case based on the factors that were returned in my environment. I have several enrolment policies in my tenants so I did not try this but you might, consider adding all the factors to the default policy and delete the "moja..." policy if you can to keep things as simple as possible and see what gets returned.

     

    I find it interesting that when you tried with Classic Engine it did return all the factors if that is the case them maybe an OIE bug. This seems like a similar issue to a post I commented on back in 2023. https://support.okta.com/help/s/question/0D54z00009n7grNCAQ/factors-api-not-listing-enrolled-factors-used-only-for-recovery?language=en_US My suggestion then still applies today in that I think you should open an Okta Support Case if no one chimes in with additional feedback soon.

    Expand Post
    Selected as Best

  • MatthewH.10249 (State of Iowa)

    I'm using OIE and I'm seeing similar behavior as you are. At first I thought that perhaps this was the difference between a factor that was set up for authentication vs recovery but that does not seem to be the case based on the factors that were returned in my environment. I have several enrolment policies in my tenants so I did not try this but you might, consider adding all the factors to the default policy and delete the "moja..." policy if you can to keep things as simple as possible and see what gets returned.

     

    I find it interesting that when you tried with Classic Engine it did return all the factors if that is the case them maybe an OIE bug. This seems like a similar issue to a post I commented on back in 2023. https://support.okta.com/help/s/question/0D54z00009n7grNCAQ/factors-api-not-listing-enrolled-factors-used-only-for-recovery?language=en_US My suggestion then still applies today in that I think you should open an Okta Support Case if no one chimes in with additional feedback soon.

    Expand Post
    Selected as Best

    • AdamM.90568 (Customer)

      Thank you for your reply. Yes, I do think the problem from 2023 you linked to is connected with this one. Also:

       

      "At first I thought that perhaps this was the difference between a factor that was set up for authentication vs recovery [...]"

       

      Yes, I did have the same suspicions. And basing on my tests I think that it is possible that this is the case here.

       

      As for the Support Case - I am not yet able to access it as I am using Developer account. Once I get the access will do so for sure.

      Expand Post
This question is closed.
Loading
Relation between Authenticators enrolled and User Factors in the API