JR.56041 (-) asked a question.
Our new implementation which has been on-going for some time was setup to use the AMR claim value list to determine if the user was federated via external IDP or an Okta user with username/password.
It would then validate if the value: "fed" was present to determine that the user was federated from an external IDP.
I unfortunately cannot confirm if this approach used to work, but it isn't working currently and it's not clear if Okta supports any configuration that would add the "fed" value to the "amr" claim.
Question 1: Is anyone aware how Okta might be configured to add that claim for federated users?
Looking at documentation, Okta doesn't seem to document specifically all the AMR values it will use itself, however there is documentation around claims sharing (which we are not using) that mentions Okta only supports values from RFC 8176: developer.okta.com/docs/guides/configure-claims-sharing/thirdpartyoidc/main/*supported-amr-claims
From my findings so far, it looks as though we should use "idp" claim and validated it against the current org IDP (retrieved via the: <org>.okta.com/.well-known/okta-organization link).
Hello @JR.56041 (-)Thank you for posting on our Community page!
This question is more appropriate for our dedicated Okta Developer Forum.
My advice would be to reach out via devforum.okta.com to take advantage of their expertise.
While we'll do our best to answer all of your questions here, this medium is more inclined towards Okta core products and features (non-developer work).
Thank you for reaching out to our Community and have a great day!
--
Help others in the community by liking or hitting Select as Best if this response helped you.