Configure SSO and MFA

Opal supports MFA for 2 types of product functions:

1. Opal logins: you can configure Opal to require MFA when a user logs in.
2. Opal actions: you configure resources in Opal to require MFA for requesting access, approving an access request, and/or connecting to a session.

Opal can be setup to require validation via its own MFA provider or via your Okta IDP's MFA provider

Opal Login MFA

Toggle the "Require Opal MFA for logins" setting to enable Opal-managed MFA.

Alternatively, you can enable MFA through your SAML provider. In this case, be sure to disable this setting.

🔗 Okta MFA Configuration

Opal Actions MFA

MFA for Opal actions can be toggled on a per-action, per-resource level. Edit your resource to enable MFA.

To modify your MFA Provider settings for Opal Actions, navigate to Configuration > Settings > Authentication, and click "Configure" for the "MFA settings for gated Opal Actions"

We support three different options for MFA Providers:

1. Opal managed MFA. Users will be able to register their MFA devices through Opal.
2. 🔗 Okta managed MFA[Legacy] - Okta Verify and TOTP. Users may only use these two factors for MFA.
3. 🔗 OIDC MFA. Opal supports any OIDC provider, including Okta and Azure, as a MFA solutions.
   1. Once configured, users will be able to use any MFA method that your OIDC provider supports, including WebAuthn (Yubikey, TouchID, etc.) and TOTP.