On this page
Understand authenticator enrollment policy API changes after the upgrade
Overview
Okta Identity Engine sets apart factors and authenticators to align with industry standards:
- Identity Engine uses authenticators in the settings for its authenticator enrollment policy.
- Classic Engine uses factors in the settings for its multifactor (MFA) enrollment policy.
In Identity Engine, the MFA Enrollment Policy name has changed to authenticator enrollment policy (opens new window). Classic Engine still refers to the same policy as the Multifactor (MFA) Enrollment Policy (opens new window). In the API, the policy type of MFA_ENROLL
remains unchanged, however, the settings
data contains authenticator or factors, depending on the configuration.
After you upgrade your org to Identity Engine, consider the following:
New authenticator enrollment policies that you create in the Admin Console are configured with authenticators.
Existing authenticator enrollment policies that you created before upgrading to Identity Engine are still configured with factors.
Existing authenticator enrollment policies that you save in the Admin Console have their factors converted to authenticators. The conversion is seamless to admins that manage policies in the Admin Console.
Note: Whether you edit the authenticator enrollment policy, when you click Update Policy in the Admin Console, the factor-to-authenticator conversion occurs.
Existing code that manages and uses authenticator enrollment policies through the Policy API (opens new window) requires some development work. After you upgrade your org, address the factor-to-authenticator conversion schema changes.
This guide provides key API considerations to upgrade your app for multifactor enrollment flows in Identity Engine.
Authenticator enrollment policy API changes in Identity Engine
The following are the main behavior changes to the authenticator enrollment policy (opens new window) in Identity Engine:
- The Policy API supports both factors and authenticator schemas in the settings (opens new window) for the authenticator enrollment policy.
- New authenticator enrollment policies contain either factors or authenticators in their settings (they’re mutually exclusive).
- Existing authenticator enrollment policies (that is, policies created before the Identity Engine upgrade) still contain factors in their settings.
- Authenticator enrollment policies modified from the Admin Console of an Identity Engine org have their factors converted to authenticators in their settings.
Note: For Identity Engine orgs with the Authenticator enrollment policy feature enabled, the new default authenticator enrollment policy created by Okta uses the authenticators setting schema. Existing default authenticator enrollment policies from a migrated org remain unchanged and still use the factors setting schema. If you want the default policy to use the authenticators setting schema, then modify the default policy. In the Admin Console, convert the settings from factors to authenticators.
Recovery authenticators
In Identity Engine, you can use authenticator-based authenticator enrollment policies to govern recovery authenticator enrollment for the password recovery flow. This feature isn't available for factor-based authenticator enrollment policies.
Both the password policy and the authenticator enrollment policy govern the enrollment of recovery authenticators (Email, phone, Okta Verify, and Security Question). For example, if the Email authenticator is enabled and set to Required
in the authenticator enrollment policy, then email enrollment is required for recovery even if it isn't required in the password policy.
Note: Password policy recovery authenticator settings supersede the authenticator enrollment policy settings. For example, if the phone authenticator is
Optional
orDisabled
for the authenticator enrollment policy, butRequired
for the password policy, then phone enrollment is required for the password recovery flow.
See password policy (opens new window) and Configure password policies (opens new window) for details on how to configure the password policy in the Admin Console.
Get authenticator enrollment policies
To parse a response from the GET /api/v1/policies?type=MFA_ENROLL
request, you must determine if the returned authenticator enrollment policy contains either authenticators
or factors
in the settings schema (opens new window).
Note: Another indicator of an authenticator-based enrollment policy is when
type=AUTHENTICATORS
in the settings schema (opens new window). Thetype
property could be absent from the response of factor-based authenticator enrollment policies.
If the returned policy uses authenticators
, loop through the list of policy authenticator objects (opens new window) and use the key
property to identify the authenticator. See the Authenticators API (opens new window) for more details on the available authenticators in your org.
If the returned policy uses factors
, you need to loop through every type of policy factor configuration object (opens new window), as you've done previously for your app.
Response example of an authenticator enrollment policy settings
snippet with authenticators:
"settings": {
"type": "AUTHENTICATORS",
"authenticators": [
{
"key": "security_question",
"enroll": {
"self": "OPTIONAL"
}
},
{
"key": "phone_number",
"enroll": {
"self": "REQUIRED"
}
}
]
}
Response example of an authenticator enrollment policy settings
snippet with factors:
"settings": {
"factors": {
"okta_question": {
"enroll": {
"self": "OPTIONAL"
},
"consent": {
"type": "NONE"
}
},
"okta_sms": {
"enroll": {
"self": "REQUIRED"
},
"consent": {
"type": "NONE"
}
}
}
}
Create an authenticator enrollment policy
To create an authenticator enrollment policy through the Policy API (opens new window), you need to provide the settings
schema with either the list of policy authenticator objects (opens new window) or policy factor configuration objects (opens new window) in the POST /api/v1/policies
request body parameters.
To create an authenticator enrollment policy in Identity Engine, use the Policies API (opens new window). To set the list of authenticators for the policy, use the Authenticators API (opens new window).
You can also create an authenticator enrollment policy with factors instead of authenticators to support legacy systems or workflows. Set the policy settings
to the factors schema with the policy factor configuration objects (opens new window).
Note: Configure the other policy parameters according to the Create a Policy (opens new window) API operation. Specifically, you need to include the
type=MFA_ENROLL
parameter for an authenticator enrollment policy.
Update an authenticator enrollment policy
To update an authenticator enrollment policy through the Update a Policy (opens new window) API operation, you need to provide the settings
schema with either the list of policy authenticator objects (opens new window) or policy factor configuration objects (opens new window) in the PUT /api/v1/policies/{policyId}
request body parameters.
Note: Configure the other policy parameters according to the Update a Policy (opens new window) API operation. This section focuses on the
settings
parameter required specifically for the authenticator enrollment policy.
If you need to convert an existing factor-based authenticator enrollment policy to use authenticators, then update the policy with authenticators in the settings
parameter. Use the Policy Factors Configuration object and Authenticator keys mapping table to map Policy Factors Configuration objects to authenticator keys. See the settings conversion example.
You can revert to the factor-based authenticator enrollment policy model. Modify an existing authenticator-based enrollment policy to a factored one. To convert the authenticator keys to Policy Factor Configuration objects, see the following:
- Policy factor configuration objects (opens new window)
- Policy Factors Configuration object and Authenticator keys mapping
Note: Your app might be integrated with systems like Terraform that you can't update to parse the authenticators-based enrollment policy. If so, revert your policy to use factors instead of authenticators.
Policy Factors Configuration object and Authenticator keys mapping
Policy Factors Configuration object | Authenticator keys |
---|---|
okta_sms okta_voice | phone_number |
okta_otp okta_push | okta_verify |
okta_question | security_question |
okta_email | email |
duo | duo |
fido_webauthn | security_key |
rsa_token | n/a |
sympantec_vip | n/a |
yubikey_token | n/a |
Authenticator enrollment policy settings conversion example
The following example shows the settings
schema conversion from a factor-based to an authenticator-based enrollment policy.
Original authenticator enrollment policy with factor settings:
"settings": {
"factors": {
"okta_question": {
"enroll": {
"self": "OPTIONAL"
},
"consent": {
"type": "NONE"
}
},
"okta_otp": {
"enroll": {
"self": "OPTIONAL"
},
"consent": {
"type": "NONE"
}
}
}
}
Converted authenticator enrollment policy with authenticator settings:
"settings": {
"type": "AUTHENTICATORS",
"authenticators": [
{
"key": "security_question",
"enroll": {
"self": "OPTIONAL"
}
},
{
"key": "okta_verify",
"enroll": {
"self": "OPTIONAL"
}
}
]
}