Skip to main content

Configure XFA on Okta as an Authenticator

Note: This guide assumes that you have an account set up with XFA for your organization and you're an admin for that organization on both XFA and Okta. If you do not have an account, you can create one at

To make sure that every device in your organization is secure, XFA can be configured on Okta to verify each device as part of the authentication of all applications connected to Okta. This guide will walk you through the steps to configure XFA as an Authenticator and enforce it's usage.

Create an integration in XFA Dashboard

After logging in to the XFA Dashboard, navigate to the Integrations page, click on New and select Okta as the integration type. You'll receive the following information:

  • Issuer URI
  • Single Sign-On URL
  • a certificate you can download by clicking on Download Certificate.

Keep this information handy as you'll need it in the next step.

Note: You'll fill in the remaining information after the creation of the Identity Provider in Okta. Leave the tab open for now.

Create a trusted IdP in Okta to use as authenticator

In Okta, navigate to Security > Identity Providers and click on Add Identity Provider.

Select the SAML 2.0 IdP option, click Next and fill in the following information:

  • Name: XFA
  • IdP Usage: Factor only (do not enable 'Account matching with Persistent Name ID')
  • IdP Issuer URI: (Issuer URI from the previous step)
  • IdP Single Sign-On URL: (Single Sign-On URL from the previous step)
  • IdP Signature Certificate: (Upload the certificate you downloaded from the previous step)
  • Request Binding: HTTP-POST
  • Request Signature: (disabled)
  • Response Signature Algorithm: SHA-256
  • Destination: (leave empty)
  • Okta Assertion Consumer Service URL: Trust-specific
  • Max Clock Skew: (leave on default setting)

Click Finish to create the IdP.

You'll receive information about your created Identity Provider, copy the following values for the next step:

  • Assertion Consumer Service URL
  • Audience URI

Complete the integration in XFA Dashboard

Go back to the XFA Dashboard and fill in the remaining information for the Okta integration:

  • Assertion Consumer Service URL: (Assertion Consumer Service URL from the previous step)
  • Audience URI: (Audience URI from the previous step)

Click Next to save the integration and tweak any policies you want to change.

Add the XFA trusted IdP as Authenticator in Okta

To make the factor-only trusted IdP available as an authenticator, navigate to Security > Authenticator and click on Add Authenticator.

Select the IdP Authenticator option and select the IdP created in the previous steps by the name (e.g. XFA).

Next steps

Make XFA optionally available for users

As a first step, you can make the authenticator optionally available for users. This way, users can choose to use XFA as an MFA authenticator when logging in to applications connected to Okta. This is great to try out XFA before enforcing it for all users.

To confirm that the authenticator is available for users, navigate to Security > Authenticators > Enrollment > and select the relevant policy (or create one) for the users you want to target. The XFA authenticator should be available in the list of authenticators and not be marked as 'disabled'.


Won't I lose my 2FA identity verification?
As XFA will completely replace the other authentication methods, an extra feature called 'silent MFA' will be released in the coming weeks. This feature will allow you to verify your identity through known devices which you've explicitly trusted with XFA.

Make XFA required for users or applications

Under Security > Authentication policies, you can create a new policy or edit an existing one to enforce the use of XFA for specific users, devices or applications. This way, you can ensure that every targetted device is verified by XFA before they can access any application connected to Okta.

  1. Make sure 2 factors are required: When you open a policy, under Rules, the relevant rule for your targetted user or device must specify 'User must authenticate with': Any 2 factor types to allow for both a password and XFA

  2. To enforce XFA as the second factor (taking responsibility for both the identity and device verification), either select requirements for the possession factor that would exclude all other methods in the rule or limit the available authenticators to the user under Security > Authenticators > Enrollment.