Background: We are using Okta APIs for a SFTP service. We only want to verify the user/pass combination. Once verified, we will use the MFA verify call to check for push verification, but only if they are not in a MACHINES group. Therefore we are calling authn/ for user verification, then checking the groups, then calling the MFA as required.
Question: I am using authn/ to validate a users credentials, but I noted during testing that the application policy is not being applied (default was instead) and this is because I was not sending the audience. I would like it validate the policy I have actually applied.
I see that audience is being depreciated. How can I validate the user/pass combo for a user against a specific policy, instead of just default?
I could ignore this as we are doing our own MFA checks, and the Okta is verifying the user for us, but I’d like to pay attention to the risk levels and other information Okta returns to us, and later, I expect we might do something like adding network zones. I can see using the default policy will be annoying.
What is the best way to achieve using the right policy?
I assume this is for a Okta classic Org?
Typically you wouldn’t do an authn, then check if the user is part of a group and then decide if MFA will happen based off of that.
Instead you might have two authentication policies.
- 1 policy would be assigned to the
MACHINES group and have a rule that requires MFA
- 1 policy would be assigned to everyone (or another group that targets non MACHINES users) and would not require MFA.
This way MFA would be part of the authn flow when authenticating and would not require manual steps of checking for group membership and then manually doing MFA depending.
This is OIE. We have a user providing us their username and password, we’re currently using
status,response = make_request(url=‘https://blah.okta.com/api/v1/authn’, data = body, headers=headers)
The user in question, a test user, has MFA enabled and setup. When calling, we get MFA_REQUIRED returned, but the user doesn’t receive a push event.
Is there a way to authenticate the user and call the event in one call then? If there is, then your way makes sense, to put them in a MACHINE group (or not) and only require MFA if they are not in the group. If we can do that automatically, then fab.
If you are manually doing the authentication with your own code then after
authn if a user requires MFA then you will get a MFA_REQUIRED response and must choose one of the MFA options and proceed.
The verification challenges can be found here.
- If using the Okta Widget SDK all this logic will be given out of the box.
- If using the Okta Auth SDK the low level code for making the challenge/verify calls will be given to you but you will still need to control the flow.
- If coding directly to the API you will need to provide both flow logic and low level code for making the MFA calls. Depending on how many different MFA types you support this can be a bit of work.
Since this is an OIE tenant, but you are using the Okta Classic Org pipeline of authn make sure to keep your MFA policies to the global security policy and don’t use individual application authentication policies.
If you do use auth-js the following sample app demonstrates MFA for the different MFA type.