From 83989ed78bfbaa14508f2804224d3b30e7ae7439 Mon Sep 17 00:00:00 2001 From: Mindy Moreland Date: Sun, 8 Feb 2026 10:22:20 -0800 Subject: [PATCH 1/2] Clarify Microsoft Entra validation modes for step-up auth Update the step-up authentication doc to better explain the two validation modes available for Microsoft Entra: - OIDC mode: Uses max_age for re-authentication (simpler setup) - ACRS mode: Uses Authentication Context Class References (more control) Changes: - Update intro table to explain how each mode works - Rename tab titles to include mode names - Add note explaining ID tokens requirement for OIDC mode - Update FAQ with clearer guidance on which mode to choose Related: PR #13443 Co-Authored-By: Claude Opus 4.5 --- product/admin/step-up-auth.mdx | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/product/admin/step-up-auth.mdx b/product/admin/step-up-auth.mdx index 1b32193..7c54b56 100644 --- a/product/admin/step-up-auth.mdx +++ b/product/admin/step-up-auth.mdx @@ -6,7 +6,7 @@ description: Require additional authentication for sensitive approvals to enhanc sidebarTitle: Step-up authentication --- -{/* Editor Refresh: 2026-02-01 */} +{/* Editor Refresh: 2026-02-08 */} **Early access.** This feature is in early access, which means it's undergoing ongoing testing and development while we gather feedback, validate functionality, and improve outputs. Please contact our Support team if you'd like to try it out or have any feedback. @@ -131,15 +131,15 @@ For general approvals with moderate sensitivity, use `urn:okta:loa:2fa:any`. For ## Microsoft Entra integration guide -Microsoft Entra supports two approaches for step-up authentication: +Microsoft Entra supports two validation modes for step-up authentication: -| Approach | Best for | Complexity | +| Validation mode | How it works | Best for | | --- | --- | --- | -| Cloud Apps | Simpler setup, most deployments | Lower | -| Authentication Contexts | Granular control, multiple authentication levels | Higher | +| **OIDC** (Require re-authentication) | Uses OAuth max_age to force re-authentication. Pair with a Conditional Access policy targeting the Cloud App to require MFA. | Simpler setup, most deployments | +| **ACRS** (Require authentication context) | Uses Microsoft's Authentication Context Class References. Requires creating authentication contexts and targeting them with Conditional Access policies. | Granular control, multiple authentication levels | - + This approach uses Conditional Access policies targeting the ConductorOne Cloud App. It's recommended for most deployments. @@ -161,6 +161,10 @@ This approach uses Conditional Access policies targeting the ConductorOne Cloud 2. Under **Implicit grant and hybrid flows**, check **ID tokens (used for implicit and hybrid flows)**. 3. Click **Save**. + +ID tokens are required for OIDC validation mode. Without this setting, you'll receive an "ID token not found in response" error. + + #### Step 3: Configure API permissions 1. Go to **Manage** > **API permissions**. @@ -219,7 +223,7 @@ Collect these values from Azure: | MFA not being enforced | Verify the Conditional Access policy is enabled and targets the correct Cloud App | - + This approach uses Microsoft's authentication contexts for more granular control. Use this when you need different authentication levels for different scenarios. @@ -348,8 +352,8 @@ If the identity provider is unavailable, users can't complete the step-up authen Yes. The feature works on both web browsers and mobile devices using standard OAuth 2.0 redirect flows. -**Which Microsoft Entra approach should I use?** +**Which Microsoft Entra validation mode should I use?** -For most deployments, the Cloud Apps approach is recommended due to its simpler setup. Use the Authentication Contexts approach if you need multiple authentication contexts for different scenarios. +For most deployments, **OIDC mode** (Cloud Apps approach) is recommended due to its simpler setup—you don't need to create authentication contexts. Use **ACRS mode** (Authentication Contexts approach) if you need multiple authentication contexts for different scenarios or require the ACRS claim in the token for compliance purposes. From fe14aaec9606271ad8a997ce01f9acf9de2ecd2e Mon Sep 17 00:00:00 2001 From: Mindy Moreland Date: Sun, 8 Feb 2026 10:26:29 -0800 Subject: [PATCH 2/2] Convert numbered lists to Steps components Replace numbered procedural lists with components for better visual formatting and consistency with other docs. Co-Authored-By: Claude Opus 4.5 --- product/admin/step-up-auth.mdx | 332 +++++++++++++++++++++++++-------- 1 file changed, 258 insertions(+), 74 deletions(-) diff --git a/product/admin/step-up-auth.mdx b/product/admin/step-up-auth.mdx index 7c54b56..a8fd622 100644 --- a/product/admin/step-up-auth.mdx +++ b/product/admin/step-up-auth.mdx @@ -60,10 +60,20 @@ Before you configure step-up authentication, make sure you have: To add a provider: -1. Navigate to **Admin** > **Settings** > **Step Up Authentication**. -2. Click **Add Step Up provider**. -3. Select your provider type (OAuth2 or Microsoft Entra). -4. Complete the configuration fields for your provider. + + +Navigate to **Admin** > **Settings** > **Step Up Authentication**. + + +Click **Add Step Up provider**. + + +Select your provider type (OAuth2 or Microsoft Entra). + + +Complete the configuration fields for your provider. + + See the [Okta integration guide](#okta-integration-guide) or [Microsoft Entra integration guide](#microsoft-entra-integration-guide) below for detailed setup instructions. @@ -71,9 +81,17 @@ See the [Okta integration guide](#okta-integration-guide) or [Microsoft Entra in After configuring a provider, test it before using it in production: -1. Click **Test Step Up** on the provider detail page. -2. Complete the authentication flow with your identity provider. -3. Verify you're redirected back to ConductorOne with a success message. + + +Click **Test Step Up** on the provider detail page. + + +Complete the authentication flow with your identity provider. + + +Verify you're redirected back to ConductorOne with a success message. + + Successful tests update the "Last Tested" timestamp on the provider. @@ -81,38 +99,74 @@ Successful tests update the "Last Tested" timestamp on the provider. ### Create an Okta application -1. Log in to your Okta Admin Dashboard. -2. Navigate to **Applications** > **Applications**. -3. Click **Create App Integration**. -4. Select **OIDC - OpenID Connect** and **Web Application**, then click **Next**. -5. Configure the application: + + +Log in to your Okta Admin Dashboard. + + +Navigate to **Applications** > **Applications**. + + +Click **Create App Integration**. + + +Select **OIDC - OpenID Connect** and **Web Application**, then click **Next**. + + +Configure the application: - **Name**: ConductorOne Step Up Authentication - **Grant type**: Authorization Code - **Sign-in redirect URIs**: `https://accounts.conductor.one/auth/callback` - **Controlled access**: Select options based on your security requirements -6. Click **Save**. -7. Copy the **Client ID** and **Client Secret** for use in ConductorOne. + + +Click **Save**. + + +Copy the **Client ID** and **Client Secret** for use in ConductorOne. + + ### Configure Okta authentication policies For granular control over authentication requirements: -1. Navigate to **Security** > **Authentication Policies**. -2. Create a policy specifically for ConductorOne Step Up Authentication. -3. Define rules that require stronger authentication methods (such as MFA). -4. Assign the policy to your ConductorOne Step Up application. + + +Navigate to **Security** > **Authentication Policies**. + + +Create a policy specifically for ConductorOne Step Up Authentication. + + +Define rules that require stronger authentication methods (such as MFA). + + +Assign the policy to your ConductorOne Step Up application. + + ### Add Okta as a step-up provider -1. In ConductorOne, navigate to **Admin** > **Settings** > **Step Up Authentication**. -2. Click **Add Step Up Provider**. -3. Select **OAuth2 (RFC 9470 compliant)**. -4. Enter the following details: + + +In ConductorOne, navigate to **Admin** > **Settings** > **Step Up Authentication**. + + +Click **Add Step Up Provider**. + + +Select **OAuth2 (RFC 9470 compliant)**. + + +Enter the following details: - **Provider name**: Okta Step Up - **Issuer URL**: Your Okta domain (for example, `https://your-company.okta.com`) - **Client ID**: The Client ID from your Okta application - **Client secret**: The Client Secret from your Okta application - **ACR values**: Select values based on your security requirements + + ### Okta ACR values reference @@ -147,19 +201,37 @@ This approach uses Conditional Access policies targeting the ConductorOne Cloud #### Step 1: Create an app registration -1. Sign in to the [Azure Portal](https://portal.azure.com/) and navigate to **App registrations**. -2. Click **New registration**. -3. Configure the application: + + +Sign in to the [Azure Portal](https://portal.azure.com/) and navigate to **App registrations**. + + +Click **New registration**. + + +Configure the application: - **Name**: ConductorOne Step-Up Authentication - **Supported account types**: Accounts in this organizational directory only (Single tenant) - **Redirect URI**: Platform: Web, URI: `https://accounts.conductor.one/auth/callback` -4. Click **Register**. + + +Click **Register**. + + #### Step 2: Enable ID tokens -1. In your app registration, go to **Manage** > **Authentication**. -2. Under **Implicit grant and hybrid flows**, check **ID tokens (used for implicit and hybrid flows)**. -3. Click **Save**. + + +In your app registration, go to **Manage** > **Authentication**. + + +Under **Implicit grant and hybrid flows**, check **ID tokens (used for implicit and hybrid flows)**. + + +Click **Save**. + + ID tokens are required for OIDC validation mode. Without this setting, you'll receive an "ID token not found in response" error. @@ -167,18 +239,40 @@ ID tokens are required for OIDC validation mode. Without this setting, you'll re #### Step 3: Configure API permissions -1. Go to **Manage** > **API permissions**. -2. Click **Add a permission** and select **Microsoft Graph**. -3. Choose **Delegated permissions** and add: `openid`, `profile`, `email`. -4. Click **Add permissions**, then click **Grant admin consent for your organization**. + + +Go to **Manage** > **API permissions**. + + +Click **Add a permission** and select **Microsoft Graph**. + + +Choose **Delegated permissions** and add: `openid`, `profile`, `email`. + + +Click **Add permissions**, then click **Grant admin consent for your organization**. + + #### Step 4: Create a client secret -1. Navigate to **Manage** > **Certificates & secrets**. -2. Click **New client secret**. -3. Provide a description (for example, "ConductorOne Step-Up") and select an expiration period. -4. Click **Add**. -5. Copy the secret value immediately—you won't be able to view it again. + + +Navigate to **Manage** > **Certificates & secrets**. + + +Click **New client secret**. + + +Provide a description (for example, "ConductorOne Step-Up") and select an expiration period. + + +Click **Add**. + + +Copy the secret value immediately—you won't be able to view it again. + + Set a calendar reminder to rotate the secret before it expires. @@ -186,14 +280,24 @@ Set a calendar reminder to rotate the secret before it expires. #### Step 5: Create a Conditional Access policy -1. In the Azure Portal, navigate to **Microsoft Entra** > **Security** > **Conditional Access**. -2. Click **New policy**. -3. Configure the policy: + + +In the Azure Portal, navigate to **Microsoft Entra** > **Security** > **Conditional Access**. + + +Click **New policy**. + + +Configure the policy: - **Name**: Require MFA for ConductorOne Step-Up - **Users**: Include users or groups who will use step-up authentication - **Target resources**: Select **Cloud apps**, then choose the ConductorOne app registration you created - **Grant**: Select "Grant access" and check **Require multi-factor authentication** -4. Set **Enable policy** to **On** and click **Create**. + + +Set **Enable policy** to **On** and click **Create**. + + #### Step 6: Gather configuration values @@ -205,15 +309,25 @@ Collect these values from Azure: ### Part 2: Configure ConductorOne -1. Navigate to **Admin** > **Settings** > **Step Up Authentication**. -2. Click **Add Step Up Provider** and select **Microsoft Entra**. -3. Enter the configuration details: + + +Navigate to **Admin** > **Settings** > **Step Up Authentication**. + + +Click **Add Step Up Provider** and select **Microsoft Entra**. + + +Enter the configuration details: - **Provider name**: Microsoft Entra MFA - **Issuer URL**: `https://login.microsoftonline.com/{TENANT_ID}/v2.0` (replace `{TENANT_ID}` with your tenant ID) - **Client ID**: Your Application (client) ID from Azure - **Client secret**: The secret value from Step 4 - **Validation mode**: Select **Require re-authentication (OIDC)** -4. Save the configuration. + + +Save the configuration. + + ### Troubleshooting @@ -231,49 +345,97 @@ This approach uses Microsoft's authentication contexts for more granular control #### Step 1: Create an app registration -1. Sign in to the [Azure Portal](https://portal.azure.com/) and navigate to **App registrations**. -2. Click **New registration**. -3. Configure the application: + + +Sign in to the [Azure Portal](https://portal.azure.com/) and navigate to **App registrations**. + + +Click **New registration**. + + +Configure the application: - **Name**: ConductorOne Step-Up Authentication - **Supported account types**: Accounts in this organizational directory only (Single tenant) - **Redirect URI**: Platform: Web, URI: `https://accounts.conductor.one/auth/callback` -4. Click **Register**. + + +Click **Register**. + + #### Step 2: Configure API permissions -1. Go to **Manage** > **API permissions**. -2. Click **Add a permission** and select **Microsoft Graph**. -3. Choose **Delegated permissions** and add: `openid`, `profile`, `email`. -4. Click **Add permissions**, then click **Grant admin consent for your organization**. + + +Go to **Manage** > **API permissions**. + + +Click **Add a permission** and select **Microsoft Graph**. + + +Choose **Delegated permissions** and add: `openid`, `profile`, `email`. + + +Click **Add permissions**, then click **Grant admin consent for your organization**. + + #### Step 3: Create a client secret -1. Navigate to **Manage** > **Certificates & secrets**. -2. Click **New client secret**. -3. Provide a description and select an expiration period. -4. Click **Add** and copy the secret value immediately. + + +Navigate to **Manage** > **Certificates & secrets**. + + +Click **New client secret**. + + +Provide a description and select an expiration period. + + +Click **Add** and copy the secret value immediately. + + #### Step 4: Create an authentication context -1. In the Azure Portal, navigate to **Microsoft Entra** > **Conditional Access**. -2. Click **New authentication context**. -3. Configure the context: + + +In the Azure Portal, navigate to **Microsoft Entra** > **Conditional Access**. + + +Click **New authentication context**. + + +Configure the context: - **Display name**: Step-Up for Approvals - **Description**: Required for approving sensitive access requests in ConductorOne - **Publish to apps**: Enable this option - **ID**: Select an available identifier (C1 through C99) -4. Click **Save** and note the ID you selected. + + +Click **Save** and note the ID you selected. + + #### Step 5: Create a Conditional Access policy -1. In Conditional Access, go to **Policies** and click **New policy**. -2. Configure the policy: + + +In Conditional Access, go to **Policies** and click **New policy**. + + +Configure the policy: - **Name**: Require MFA for Step-Up Context - **Users**: Include users or groups who will use step-up authentication - **Cloud apps**: Select the ConductorOne app registration - **Conditions** > **Authentication context**: Choose the context you created (for example, C1) - **Grant**: Select "Grant access" and check **Require multi-factor authentication** -3. Set **Enable policy** to **On** and click **Create**. + + +Set **Enable policy** to **On** and click **Create**. + + #### Step 6: Gather configuration values @@ -286,9 +448,15 @@ Collect these values from Azure: ### Part 2: Configure ConductorOne -1. Navigate to **Admin** > **Settings** > **Step Up Authentication**. -2. Click **Add Step Up Provider** and select **Microsoft Entra**. -3. Enter the configuration details: + + +Navigate to **Admin** > **Settings** > **Step Up Authentication**. + + +Click **Add Step Up Provider** and select **Microsoft Entra**. + + +Enter the configuration details: - **Provider name**: Microsoft Entra MFA - **Issuer URL**: `https://login.microsoftonline.com/{TENANT_ID}/v2.0` (replace `{TENANT_ID}` with your tenant ID) - **Client ID**: Your Application (client) ID from Azure @@ -296,7 +464,11 @@ Collect these values from Azure: - **Validation mode**: Select **Require ACRS** - **Conditional Access IDs**: The authentication context ID(s) you created (for example, C1) - **Microsoft Tenant ID**: Your Azure tenant ID -4. Save the configuration. + + +Save the configuration. + + @@ -305,11 +477,23 @@ Collect these values from Azure: Once your provider is configured and tested, enable step-up authentication in your approval policies: -1. Navigate to **Policies** in ConductorOne. -2. Edit an existing policy or create a new one. -3. For any approval step, enable **Requires Step Up Authentication**. -4. Select your configured provider from the dropdown. -5. Save the policy. + + +Navigate to **Policies** in ConductorOne. + + +Edit an existing policy or create a new one. + + +For any approval step, enable **Requires Step Up Authentication**. + + +Select your configured provider from the dropdown. + + +Save the policy. + + When step-up authentication is enabled for an approval step, auto-approval is automatically disabled since there's no user to perform the additional authentication.