Prompt for an MFA factor for a certain group
On This Page
The Admin Console (Classic UI) is required for this guide.
The upper-left corner of the page should say Classic UI. If it says Developer Console, click the drop-down box to change it to Classic UI.
The following are step-by-step instructions to configure an Okta Sign-On Policy to prompt a user for a factor (multifactor authentication (MFA)) when the user is a member of a certain group.
In the Admin Console, navigate to Security and then Authentication.
Click the Sign On tab, and then click Add New Okta Sign-on Policy.
In the Add Policy window, enter a Policy Name, such as Require MFA for Contractors, and then enter a Policy Description.
In the Assign to Groups box, enter the group name that you want to apply the policy to. In this example, we are specifying the Contractor group in our org. The group names must already exist before assigning them to a policy.
Click Create Policy and Add Rule.
In the Add Rule window, add a descriptive name for the rule in the Rule name box, such as Require contractors to use MFA once per session.
If there are any users in the Contractor group that you want to exclude from the rule, enter them in the Exclude Users box.
For this use case example, leave the default of Anywhere in the If User's IP is drop-down box. For other use cases where you want to assign location parameters, you can specify what kind of location prompts authentication, for example, prompting a user for a factor when they aren't on the corporate network.
Note: You can click the Networks link to access the gateway settings that enable your choice of access. A network zone is a security perimeter used to limit or restrict access to a network based on a single IP address, one or more IP address ranges, or a list of geolocations. You can also create networks zones using the Zone API.
Leave the default of Any in the And Authenticates via drop-down box.
Select Allowed from the Then Access is drop-down box to allow access based on the conditions defined.
Leave the Prompt for Factor check box selected so that users of the Contractor group are prompted for a factor before they are granted access. This check box appears only when at least one factor type is enabled in your org.
Note: Click the Multifactor Authentication link for quick access to the Authentication page and the Multifactor tab to define the factors that you want to use.
Use the option buttons to determine how users are prompted for MFA in a given session. In this example, leave the default of Per Session selected.
You can configure whether the factor prompt is triggered per a device, at every sign-on, or per a session time that you specify:
- Per Device: Provides the option Do not challenge me on this device again on the end user MFA challenge dialog box. This option allows prompts solely for new devices.
- Every Time: End users are prompted every time they sign in to Okta and can't influence when they are prompted to provide a factor.
- Per Session: Provides the option Do not challenge me on this device for the next (minutes/hours/days) on the end user MFA challenge dialog box. You specify the Factor Lifetime below. When specifying per session, note that sessions have a default lifetime as configured, but sessions always end whenever users sign out of their Okta session.
For this use case example, leave the default Factor Lifetime of 15 minutes. Use these fields to specify how much time must elapse before the user is challenged for MFA.
The maximum lifetime period is six months. Setting a factor lifetime is a way for end users to sign out for the amount of time noted in the Factor Lifetime and not have to authenticate again with MFA at the next sign in. End users must select a box when they sign in to confirm that the setting should be applied. An example is Do not challenge me on this device for the next 15 minutes. In this case, after signing out, there is no MFA prompt if the user signs in again within 15 minutes of the last sign in with MFA. If users don't select the box, they are always prompted for MFA. The time since the last sign in is noted at the bottom of the End-User Dashboard. However, end users must refresh the page to see the updated value.
For this use case example, leave the default Session Expires After setting of 2 hours. Use these fields to specify the maximum idle time before an authentication prompt is triggered. The maximum allowed time for this option is 90 days. This isn't the total connect time. This is idle time before users see a countdown timer at the 5-minute mark of remaining session time.
Note: You can set the maximum session lifetime value using the Okta APIs. If you previously set this value using the API, you can't exceed that maximum in the UI. Setting a value over the API maximum results in an error.
Click Create Rule.
Note: After you create a new policy, you must close all active sessions for the new policy to take effect.