OKTA Sign-In Widget MFA

Question

I found an tutorial to build an Angular 4 app with OKTA's Sign-in Widget. It is great, I recommend it for anyone who's new to OKTA.

You can find it at this URL:

https://developer.okta.com/blog/2017/03/27/angular-okta-sign-in-widget

However, I have been unable to configure the widget to work for MFA and was unable to find a working example or relevant documentation.

I keep getting this message:

{name: "OAUTH_ERROR", message: "The client specified not to prompt, but the client app requires re-authentication or MFA."}

I checked out the Sign-In Widget reference page as well as the github project and searched in Stack Overflow to no avail so I figure I'd post the question here to see if anybody has a working example.

Thanks in advance!

Answer 1

There are a few places that you need to configure Multifactor authentication(MFA) in Okta. In the Classic UI under Security->Authentication->SignOn. You need to create a new Okta Sign-On Policy, add a rule and make sure the "Prompt for Factor" is checked. You then have the choice of, Per Device, Every Time, Per Session. You select one of these depending on your security requirements. This selection is important as it may conflict with the application MFA settings.

You'll also need to go to Security->Mulitfactor->Factor Enrollment and create a new policy or edit the default and ensure that you have atleast one Eligle factor as 'required'. I'd suggest starting with SMS. Make sure that you have the appropriate groups assigned as well. To start maybe just assign "everyone" and then widdle down after you get it working.

Next you need to configure multifactor for the application. Go to Applications->Applications and select your application. Then select the "Sign On". At the bottom of the page you need add a rule that will allow for MFA. After giving your access rule a name and adding any other required restrictions, you'll need to add an access rule, check off the "Prompt for factor" and select how often you want the user to be asked for another multifactor. This is the part that is tricky, if you selected Per device in the above and then here select "once a month", it possible that it won't work at all or that you get authenticated and then get this error a month later again. In my opinon to have two combination choices.
1) "Every Time" and a "Once a day/week/month" option or 2)"Per Device" and then "Only once"

This is what I found anyway. Whatever you do don't do what I did....Select "Every time and one month", get authenticated and then comeback and change the Authentication to "per Device" and then get the error a month later after you've completely forgetten how it was configured