What’s step-up authentication?
When you enable step-up authentication for an approval step, users must complete additional identity verification before they can approve the request. This creates a clear security boundary and audit trail for critical actions. The flow works like this:- Users authenticate normally to access ConductorOne
- When attempting to approve sensitive requests, users are redirected to your identity provider
- The identity provider verifies the user with the required authentication factors (such as MFA)
- Upon verification, the approval is processed with an audit trail of the enhanced authentication
When to use step-up authentication
Consider enabling step-up authentication for approval workflows involving:- Administrative access (system admin, database admin roles)
- Production environment access
- Customer data access
- Financial systems access
- Critical infrastructure changes
- Privileged role assignments
Add a step-up authentication provider
ConductorOne supports two provider types:- OAuth2 providers (RFC 9470 compliant): Okta and other compliant providers
- Microsoft Entra: Uses Conditional Access policies or authentication contexts
Prerequisites
Before you configure step-up authentication, make sure you have:- The Super Administrator role in ConductorOne
- Administrator access to your identity provider (Okta or Microsoft Entra)
- The ability to create OAuth applications in your identity provider
- Microsoft Entra only: Microsoft Entra ID P1 or P2 license if using Conditional Access for MFA
See the Okta integration guide or Microsoft Entra integration guide below for detailed setup instructions.
Test your configuration
After configuring a provider, test it before using it in production:
Successful tests update the “Last Tested” timestamp on the provider.
Okta integration guide
Create an Okta application
Configure the application:
- Name: ConductorOne Step Up Authentication
- Grant type: Authorization Code
- Sign-in redirect URIs:
https://accounts.conductor.one/auth/callback - Controlled access: Select options based on your security requirements
Configure Okta authentication policies
For granular control over authentication requirements:Add Okta as a step-up provider
Enter the following details:
- Provider name: Okta Step Up
- Issuer URL: Your Okta domain (for example,
https://your-company.okta.com) - Client ID: The Client ID from your Okta application
- Client secret: The Client Secret from your Okta application
- ACR values: Select values based on your security requirements
Okta ACR values reference
| ACR value | Description | Security level |
|---|---|---|
urn:okta:loa:1fa:any | Any single-factor authentication | Low |
urn:okta:loa:1fa:pwd | Password authentication | Low |
urn:okta:loa:2fa:any | Any multi-factor authentication | Medium |
urn:okta:loa:2fa:any:ifpossible | MFA if available | Medium |
phr | Phishing-resistant authentication | High |
phrh | Phishing-resistant hardware | Very high |
Microsoft Entra integration guide
Microsoft Entra supports two validation modes for step-up authentication:| Validation mode | How it works | Best for |
|---|---|---|
| OIDC (Require re-authentication) | Uses OAuth max_age to force re-authentication. Pair with a Conditional Access policy targeting the Cloud App to require MFA. | Simpler setup, most deployments |
| ACRS (Require authentication context) | Uses Microsoft’s Authentication Context Class References. Requires creating authentication contexts and targeting them with Conditional Access policies. | Granular control, multiple authentication levels |
- OIDC mode (Cloud Apps)
- ACRS mode (Authentication Contexts)
This approach uses Conditional Access policies targeting the ConductorOne Cloud App. It’s recommended for most deployments.
Part 1: Configure Microsoft Entra
Step 1: Create an app registration
Sign in to the Azure Portal and navigate to App registrations.
Configure the application:
- Name: ConductorOne Step-Up Authentication
- Supported account types: Accounts in this organizational directory only (Single tenant)
- Redirect URI: Platform: Web, URI:
https://accounts.conductor.one/auth/callback
Step 2: Enable ID tokens
ID tokens are required for OIDC validation mode. Without this setting, you’ll receive an “ID token not found in response” error.
Step 3: Configure API permissions
Step 4: Create a client secret
Set a calendar reminder to rotate the secret before it expires.
Step 5: Create a Conditional Access policy
Configure the policy:
- Name: Require MFA for ConductorOne Step-Up
- Users: Include users or groups who will use step-up authentication
- Target resources: Select Cloud apps, then choose the ConductorOne app registration you created
- Grant: Select “Grant access” and check Require multi-factor authentication
Step 6: Gather configuration values
Collect these values from Azure:- Application (client) ID: Found in your app registration overview
- Client secret: The value you copied in Step 4
- Tenant ID: Located in Microsoft Entra > Overview
Part 2: Configure ConductorOne
Enter the configuration details:
- Provider name: Microsoft Entra MFA
- Issuer URL:
https://login.microsoftonline.com/{TENANT_ID}/v2.0(replace{TENANT_ID}with your tenant ID) - Client ID: Your Application (client) ID from Azure
- Client secret: The secret value from Step 4
- Validation mode: Select Require re-authentication (OIDC)
Troubleshooting
| Issue | Solution |
|---|---|
| ”ID token not found in response” | Enable ID tokens in the app’s Authentication settings (Step 2) |
| MFA not being enforced | Verify the Conditional Access policy is enabled and targets the correct Cloud App |
Enable step-up in policies
Once your provider is configured and tested, enable step-up authentication in your approval policies:When step-up authentication is enabled for an approval step, auto-approval is automatically disabled since there’s no user to perform the additional authentication.
End-user experience
When a task requires step-up authentication for approval:- The task displays a “Requires Step Up Authentication” indicator.
- Instead of a standard Approve button, users see Approve with Step Up.
- Clicking this button redirects the user to the configured identity provider.
- The user completes the required authentication steps (such as MFA).
- Upon successful authentication, the user is returned to ConductorOne.
- The approval is processed and an audit trail is created.
Frequently asked questions
How does step-up authentication affect automated approvals? When step-up authentication is enabled for an approval step, automated approvals are automatically disabled since there’s no user to perform the additional authentication. What happens if a user doesn’t have MFA enabled in the identity provider? The behavior depends on your ACR values and provider policies. In Okta, if the ACR value isurn:okta:loa:2fa:any:ifpossible, the system will use MFA if available but proceed without it if not. With strict MFA requirements, users without MFA can’t complete the approval.
Can different policies use different step-up providers?
Yes. Each approval step can be configured with a different step-up provider, allowing you to require different authentication strengths for different types of approvals.
How does this work with SSO?
Step-up authentication works outside of the SSO flow. Users still authenticate via SSO initially, but are prompted for additional verification when performing sensitive approvals based on the configured policy.
What happens during identity provider outages?
If the identity provider is unavailable, users can’t complete the step-up authentication flow.
Does this feature support mobile applications?
Yes. The feature works on both web browsers and mobile devices using standard OAuth 2.0 redirect flows.
Which Microsoft Entra validation mode should I use?
For most deployments, OIDC mode (Cloud Apps approach) is recommended due to its simpler setup—you don’t need to create authentication contexts. Use ACRS mode (Authentication Contexts approach) if you need multiple authentication contexts for different scenarios or require the ACRS claim in the token for compliance purposes.