MarekA.35681 (Customer) asked a question.
Using a specific Identity Provider in Authentication Policies
We want to enforce users within a specific group to use an Identity Provider for accessing one app.
All other apps can be accessed via Password or IdP factor.
Any recommendations how to set this up?
Within the Global Session Policies I can define specific IdPs, but this would then be applied to all Apps.
In the app specific Authentication Policy I can only define "Password / IdP" as factor, but no specific IdP.
The IdP Routing Rules/IdP Discovery would redirect users to the IdP when accessing the app, but is not restricting other login mechanisms.
As I see it, this is only possible in the Global Session Policy, which is not meeting our requirements here.
@Marek,
Curious if you have considered creatively leveraging "idpuser" attribute (which can be used in expression language) in authentication policies. The link is below.
https://developer.okta.com/docs/reference/okta-expression-language/
HTH
-Bala
Hi Bala,
identifying the users in the Authentication Policy (either via group or expression language) is not the challenge.
The issue is that I can only require one or multiple factors; but I cannot enforce one specific IdP as a factor.
Maybe that use case is simply not supported by Okta?
@MarekA.35681 (Customer)
You can set up an IdP as authetication factor.. You will have to add IdP authenticator first (Security->autheticator->Idp Autheticator and then it appears as a possesion factor in your auth policies). ALso added the link below provides details . Please make sure you enable your Idp (SAMl, OIDC) as Factor only
https://help.okta.com/oie/en-us/content/topics/identity-engine/authenticators/configure-idp-authenticator.htm
HTH
-Bala
@User1646066528187443648 (Okta): Thanks for the hint, I wasn't aware of that.
As this IdP is then not supporting JIT, I guess I would need to set up two IdPs (one for SSO/JIT, one as factor). Is it then possible to have users linked to both IdPs (or to be precise after JIT linked to the first one; then linked to the second one to enforce IdP authentication via IdP authentication factor)?
@MarekA.35681 (Customer) One possibility is When you JIT you can place users in a static group/or via Group rules (if apt) and then you can associate the group to your auth policy.