Potential duplicate question but is there a way in the meanwhile to prevent authentication depending on response of an external API call?
Inline hooks don’t seem to cater for that use case.
I simply would like to check an external API either with username or IP address to decide whether the authentication attempt should be allowed or not.
you can configure sign-on policies that will also check on the source IP and you can even set certain IPs to be blacklisted using network zones
Ok, but I’m looking for a dynamic configuration and besides IP I would like to check if the user is for example on a temporary ban list. Any status configuration would not work in that case.
What about temporarily suspending these users in Okta? They won’t be able to authenticate until/unless they are re-activated.
Sorry, I guess this is a case where I didn’t exactly describe what I’m trying to solve. We would like to have a metric that assigns a risk number to a user and if it exceeds a threshold block them to login to certain Okta apps for example. We don’t want to configure this statically or suspend the user completely. I think this is similar to Okta risk scores but then custom made, outside of Okta.
I don’t see a way of handling this OOTB with Okta. Maybe your application could simply deprovision the users from these apps based on the risk numbers you collect outside of Okta?