Secondary authentication for sensitive areas

Hello all,

We develop on an application which, for regulatory reasons, must prompt the user for their credentials when they attempt to edit sensitive data. We are looking at integrating with Okta for SAML SSO and the initial login part looks like it should work fine. However, when we need to prompt the user for their credentials in the sensitive areas of the app, we would like to use our current flow which is a simple modal that asks them for their username and password which is then checked against our backend. We would like to only change our backend so that instead of checking our own database, it would send a request to Okta to confirm the user’s credentials.

After reviewing the docs, it looks like this is a good use case for Step Up Authentication, however this would involve a redirect from Okta which we don’t want. Is there a problem with simply using the primary authentication endpoint for this? Or is there a better way?

Hi ottermax, welcome!

To create an additional level of security this is best handled by creating a group of applications that work with SSO and isolating the sensitive/secure portions in one or more applications. You can configure MFA at the application level and apply it to the required application(s). That way when SSO kicks in as they move from one app to another Okta will check the app they are entering and prompt for MFA if required as they enter.

The huge advantage here, and why this is a best practice, is that the code for the sensitive/secure application is not hanging out in memory with the less sensitive part. That keeps any exploits from being able to move into a sensitive area if the less-sensitive application is compromised.

You can also use this design to block folks who shouldn’t be entering these sensitive/secure areas at all. Simply do not assign them the sensitive/secure application.