Prevent authentication based on external signal

Potential duplicate question but is there a way in the meanwhile to prevent authentication depending on response of an external API call?

Inline hooks don’t seem to cater for that use case.

I simply would like to check an external API either with username or IP address to decide whether the authentication attempt should be allowed or not.

you can configure sign-on policies that will also check on the source IP and you can even set certain IPs to be blacklisted using network zones

Ok, but I’m looking for a dynamic configuration and besides IP I would like to check if the user is for example on a temporary ban list. Any status configuration would not work in that case.

What about temporarily suspending these users in Okta? They won’t be able to authenticate until/unless they are re-activated.

Sorry, I guess this is a case where I didn’t exactly describe what I’m trying to solve. We would like to have a metric that assigns a risk number to a user and if it exceeds a threshold block them to login to certain Okta apps for example. We don’t want to configure this statically or suspend the user completely. I think this is similar to Okta risk scores but then custom made, outside of Okta.

I don’t see a way of handling this OOTB with Okta. Maybe your application could simply deprovision the users from these apps based on the risk numbers you collect outside of Okta?