Manual Chapter : Adding Okta MFA to a per-request policy

Applies To:

  • BIG-IP APM

    21.0.0, 17.5.1, 17.5.0, 17.1.3, 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.6, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 15.1.10, 15.1.9

back-action Okta MFA using Factors API

Updated Date: 04/30/2026

Adding Okta MFA to a per-request policy

Before you begin, the Okta site needs to be configured to enable APM policies to interact with Okta Factors API. You need to have created a per-request policy for Okta API.

For environments wanting to implement zero trust, APM lets you implement per-request policies that use Okta Multifactor Authentication (MFA) to authenticate requests at a more granular level. This example per-request policy performs a second level of authentication using Okta MFA, which must be created in a subroutine. Additional policy elements are added to make the use case work.

  1. On the Main tab, click Access > Profiles / Policies > Per-Request Policies.

    The Per-Request Policies screen opens.

  2. In the Per-Request Policy column of the policy you created, click Edit.

    The visual policy editor opens the per-request policy in a separate window.

  3. In the policy, click Add New Subroutine, change the name to Okta MFA, and click Save.

  4. Expand the subroutine, click (+) to add a new item.

  5. Click the Assignment tab, select Variable Assign, and click Add Item.

    This step is only needed when the Logon Page agent is configured in a per-session policy as in the use case being developed here. This step is not needed if the Logon Page agent is in the per-request policy.

    1. Click Add new entry, then click change.

    2. On the left, select Custom Variable, Secure, and type subsession.logon.last.username.

    3. On the right, select Session Variable and type session.logon.last.username.

      If, in the Logon Page agent, you enabled Split domain from full Username, then set the session variable to session.logon.last.logonname instead.

    4. Click Finished, then Save.

  6. Still in the subroutine, after Variable Assign, click (+) to add a new item.

  7. Click the Authentication tab, select Okta MFA, and click Add Item.

    1. For Okta Connector, select a previously created Okta Connector from the dropdown list.

    2. In the Customization section, you can optionally change the text and captions that will appear to users during multifactor authentication.

    3. Click Finished, then Save.

  8. Highly recommended: In the subroutine, click Subroutine Settings/Rename and set Subroutine Timeout to the maximum allowed value of 600, which is equal to 10 mins.

    If it takes the user more that two minutes to complete the Okta verification or enrollment and a subroutine timeout occurs, the per-request policy will restart.

  9. Still in the subroutine, click Edit Terminals to change the terminals:

    1. Click Add Terminal and add a terminal called Deny, make it red, and click Save.

    2. On the Fallback branch, click the terminal, select Deny, then click Save.

  10. In the main part of the policy, click (+) to add a new item.

  11. Click the Subroutines tab, select the Okta MFA subroutine you created, and click Add Item.

You created a simple per-request policy that performs Okta MFA, which is performed in the Okta MFA step-up subroutine. The per-request policy you created looks like this:

Make sure to associate the per-session policy and the per-request policy with the virtual server to protect the resources.