To maintain the link between Duo and Okta, the stateToken must be passed back when Duo calls the callback. Note: If Okta detects an unusual sign-in attempt, the end user will receive a 3-number verification challenge and the correct answer of the challenge will be provided in the polling response. "provider": "OKTA", User is assigned to a Sign-on Policy or App Sign-on Policy that requires additional verification and must select and verify a previously enrolled Factor by id to complete the authentication transaction. To complete the authentication process, make a call using the poll link to get session token and verify successful state. Thanks, Administration Okta Classic Engine Like 2 answers You can find Okta apps for Windows 10 in the Microsoft Store for Business, too. Looks like you have Javascript turned off! You must first enable the custom sign-in page for the application before using this API. "stateToken": "007ucIX7PATyn94hsHfOLVaXAmOBkKHWnOOLG43bsb", "API call exceeded rate limit due to too many requests. POST Enrolls a user with a Factor assigned by their MFA Policy. Represents the type of authentication. Primary Authentication with Public Application, Primary Authentication with Trusted Application, Primary Authentication with Activation Token, Primary Authentication with Device Fingerprinting, Primary Authentication with Password Expiration Warning, improvements to the new device security behavior, Step-up authentication without Okta session, WebAuthn spec for PublicKeyCredentialCreationOptions, WebAuthn spec for PublicKeyCredentialRequestOptions, App ID of the target app the user is signing into, Provides additional context for the authentication transaction, Opt-in features for the authentication transaction, Token received as part of activation user request, User's non-qualified short-name (for example: dade.murphy) or unique fully-qualified sign in name (for example: dade.murphy@example.com), A globally unique ID identifying the user's client device or user agent, User's current password that is expired or about to expire, base64-encoded client data from U2F javascript call, base64-encoded registration data from U2F javascript call, base64-encoded attestation from the WebAuthn javascript call, base64-encoded client data from the WebAuthn javascript call, user's decision to send a push to the device automatically, base64-encoded client data from the U2F token, base64-encoded signature data from the U2F token, base64-encoded authenticator data from the WebAuthn authenticator, base64-encoded client data from the WebAuthn authenticator, base64-encoded signature data from the WebAuthn authenticator, Recovery Factor to use for primary authentication, User's non-qualified short-name (for example: dade.murphy) or unique fully-qualified sign-in name (for example: dade.murphy@example.com), optional status of last verification attempt for a given Factor, type of authentication transaction. These assignments can be used for dynamic responses in your enrollment and sign-in policies. "username": "dade.murphy@example.com", As with the OAuth flow, the OpenID Connect Access Token is a value the Client doesn't understand. "stateToken": "007ucIX7PATyn94hsHfOLVaXAmOBkKHWnOOLG43bsb", } Registrations for Hands-on Training may be rescheduled or canceled without penalty up to five business days prior to the class start-date. How do I launch an app if I can't remember which tab I put it on? You should request additional applications from your companys helpdesk. "passCode": "123456" }', , // Convert activation object's challenge and user id from string to binary, // navigator.credentials is a global object on WebAuthn-supported clients, used to access WebAuthn API, // Get attestation and clientData from callback result, convert from binary to string, '{ Select the name of your app to open it when it appears. The requests and responses vary depending on the application type, and whether a password expiration warning is sent: Note: You must first enable MFA factors and assign a valid Sign-On Policy to a user to enroll and/or verify a MFA Factor during authentication. }', "https://{yourOktaDomain}/api/v1/users/00u4vi0VX6U816Kl90g4/factors/opfh52xcuft3J4uZc0g3/lifecycle/activate", "https://{yourOktaDomain}/api/v1/authn/factors/opfh52xcuft3J4uZc0g3/lifecycle/activate/email", "https://{yourOktaDomain}/api/v1/authn/factors/opfh52xcuft3J4uZc0g3/lifecycle/activate/sms", "https://{yourOktaDomain}/api/v1/authn/factors/opfh52xcuft3J4uZc0g3/lifecycle/activate", "https://{yourOktaDomain}/api/v1/users/opfh52xcuft3J4uZc0g3/factors/opfn169oIx3k63Klh0g3/qr/20111huUFWDFTAeq_lFQKfKFS_rLABkE_pKgGl5PBUeLvJVmaIrWq5u", '{ An authentication or recovery transaction has one of the following states: You advance the authentication or recovery transaction to the next state by posting a request with a valid state token to the the next link relation published in the JSON HAL links object for the response. According to The response is different, depending on whether the request is for a public application or a trusted application. }', "00BClWr4T-mnIqPV8dHkOQlwEIXxB4LLSfBVt7BxsM", "https://{yourOktaDomain}/assets/img/logos/salesforce_logo.dbd7e0b4de118a1dae1c39d60a3c30e5.png", '{ See https://www.duosecurity.com/docs/duoweb for more info. The Duo SDK will automatically bind to this form and submit it for us. "provider": "FIDO", This object is used for dynamic discovery of related resources and operations. Your final exam result will be sent to you via email within seven (7) days of taking your exam. Every authentication transaction starts with primary authentication which validates a user's primary password credential. }', "https://{yourOktaDomain}/api/v1/authn/factors/clf198rKSEWOSKRIVIFT/lifecycle/activate", "https://{yourOktaDomain}/api/v1/authn/factors/clf198rKSEWOSKRIVIFT/lifecycle/resend", '{ Okta recommends using a secure, HTTP-only cookie with a random/unique value on the customer's domain as the default implementation. For example, if the custom sign-in page is set as https://login.example.com, then Okta will redirect to https://login.example.com?stateToken=. In the case of an Okta emergency, contact your Okta admin. }', "00BlN4kOtm7wNxuM8nuXsOK1PFXBkvvTH-buJUrgWX", "https://{yourOktaDomain}/api/v1/authn/factors/dsflnpo99zpfMyaij0g3/lifecycle/duoCallback", "https://{yourOktaDomain}/js/sections/duo/Duo-Web-v2.js", "https://{yourOktaDomain}/api/v1/authn/factors/dsflnpo99zpfMyaij0g3/lifecycle/activate/poll",