Can't get status MFA_ENROLL when authenticating with API

joa · March 1, 2023, 10:13pm

I believe I have setup all the necessary steps for OKTA verify but I always get a status of “SUCCESS” when authenticating with the API via Postman. When I login via the web portal using the same account I do get the OKTA verify prompt on the phone. Not sure why via postman, I do not get the phone prompt. I am developing a backend application that uses the API for authentication with MFA. Can anyone help with some pointers as to what I may be missing?

warren · March 7, 2023, 6:56pm

What API endpoint are you calling? If it’s the /api/v1/authn endpoint, do you have MFA enabled at the org level?

joa · March 7, 2023, 7:27pm

Yes, I have MFA enabled at the org level. WHen I login to the dashboard, I do get the MFA prompt. However, when I try using postman using the authn endpoint, I always get success. I am expecting “MFA_REQUIRED”.

Request: /api/v1/authn

{“username”: "{{username}} ",
“password”: "{{password}} ",
“options”: {
“multiOptionalFactorEnroll”: true ,
“warnBeforePasswordExpired”: true
}

}

Response:

“expiresAt”: “2023-03-03T00:19:05.000Z”,
“status”: “SUCCESS”,
“sessionToken”: “201114Q3RXvCTbIIiLJE5dnz3xTL6Cn_gnJfw0W8c5QSM79pV9u7_Qu”,
“_embedded”: {
“user”: {
“id”: “00u8k4i7gi7LiWwNn5d7”,
“passwordChanged”: “2023-03-02T21:20:50.000Z”,
“profile”: {
“login”: “joalonzo2008@gmail.com”,
“firstName”: “testuser”,
“lastName”: “ALO”,
“locale”: “en_US”,
“timeZone”: “America/Los_Angeles”
}
}

warren · March 7, 2023, 9:48pm

Can you provide a screenshot of what your rule looks like? It should be for the sign-on policy that will be evaluated for the user credentials you are testing with.

These settings seem to be working for me.

joa · March 7, 2023, 10:56pm

Hi Warren, seems that you have a different screen than mine. Here is what mine looks like:

warren · March 8, 2023, 1:08am

Looks like the Okta org you’re testing with is running the Okta Identity Engine (OIE). The screenshots you shared looks like the authentication policies for applications.

If you click on Security → Global Session Policy, then click on edit for one of the rules. You should see a screen similar to the screenshot I shared.

joa · March 8, 2023, 1:47am

Hi Warren, my Global Session Policy was not setup correctly. Thank you so much for this nugget.

Request:
{
“username”: “{{username}}”,
“password”: “{{password}}”,
“options”: {
“multiOptionalFactorEnroll”: true,
“warnBeforePasswordExpired”: true
}
}

Response:

{
“stateToken”: “00SAJBqyKY34Ap240GggoX84zj51ZJgkrJfblQvM6y”,
“expiresAt”: “2023-03-08T01:47:41.000Z”,
“status”: “MFA_REQUIRED”,
“_embedded”: {
“user”: {
“id”: “00u8k4i7gi7LiWwNn5d7”,
“passwordChanged”: “2023-03-02T21:20:50.000Z”,
…

system · March 9, 2023, 1:47am

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.