Electronic Signatures 21 CFR Part 11 compliance

What is the best way to implement a 21 CFR Part 11 compliance?

This is a use case where a user needs to verify they are who they say they are when making a change. E.g. They update a record, click save, then we prompt them for their username and password. In this case the user is already logged in but in order to be 21 CFR Part 11 compliant we need to ask them again to ensure that the user requesting the change is actually the user logged in.

Would prompting an Okta widget control work in this case, or would cause token problems? What would be the best flow for this? Again this is assuming the user has already been authenticated by Okta, has a token and is actively working on the site, but we’re required to add this additional user verification when they do some sort of audit action.

Thanks!

In SAML forceAuthn flag should be used for this scenario:

https://wiki.shibboleth.net/confluence/display/SP3/ForceAuthn