> ## Documentation Index
> Fetch the complete documentation index at: https://docs.opal.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure SSO and MFA

> Learn how to set up MFA for Opal logins and actions.

Opal supports MFA for two types of product functions:

1. **Opal logins**: you can configure Opal to require MFA when a user logs in.
2. **Opal actions**: you configure resources in Opal to require MFA for requesting access, approving an access request, and/or connecting to a session.

Opal can be set up to require validation via its own MFA provider or via your Okta IDP's MFA provider.

## Enable MFA for Opal logins

Toggle the **Require Opal MFA for logins** setting to enable Opal-managed MFA.

<img src="https://mintcdn.com/opalsecurity/E-CmJXh0QNjZUl4g/images/docs/5707446882be420a8db219704595c7f3edc10cd6d5c8c3505a9dab30b8486af2-auth-settings-require-opal-mfa.png?fit=max&auto=format&n=E-CmJXh0QNjZUl4g&q=85&s=bdf3bd497e1997bf36b5f905e3605936" alt="1592" width="2676" height="1453" data-path="images/docs/5707446882be420a8db219704595c7f3edc10cd6d5c8c3505a9dab30b8486af2-auth-settings-require-opal-mfa.png" />

Alternatively, you can enable MFA through your SAML provider. In this case, disable this setting. See the [Okta multifactor authentication guide](/docs/okta-multifactor-authentication#using-okta-mfa-for-opal-logins) for more detail on the Okta configuration.

## Enable MFA for Opal actions

MFA for Opal actions can be toggled on a per-action, per-resource level. Edit your resource to enable MFA.

<img src="https://mintcdn.com/opalsecurity/TlQj9FwRe9HHNEYB/images/docs/1ab5ff9-mfa-settings.png?fit=max&auto=format&n=TlQj9FwRe9HHNEYB&q=85&s=8bd201a064a288d5d0499a459516f2e1" alt="" width="2958" height="1658" data-path="images/docs/1ab5ff9-mfa-settings.png" />

To modify your MFA Provider settings for Opal Actions, go to **Configuration > Settings > Authentication** and select **Configure** next to **MFA settings for gated Opal Actions**.

<img src="https://mintcdn.com/opalsecurity/lwwIeFbsleftxaXx/images/docs/cad2cf17e1b2c3a6b21ebc77d8d0d0fcca874dc18cc818ed4c5f988f2f99e1f6-auth-settings.png?fit=max&auto=format&n=lwwIeFbsleftxaXx&q=85&s=c50d0fa169b95e7f4763c0cab41c5ece" alt="" width="2959" height="1305" data-path="images/docs/cad2cf17e1b2c3a6b21ebc77d8d0d0fcca874dc18cc818ed4c5f988f2f99e1f6-auth-settings.png" />

Three different options for MFA providers are supported:

1. **Opal managed MFA**: Users can register their MFA devices through Opal.
2. **[Okta-managed MFA \[Legacy\]](/docs/okta-multifactor-authentication#using-okta-mfa-for-opal-actions-requesting-approving-connecting-legacy)**: Okta Verify and TOTP. Users may only use these two factors for MFA.
3. **[OIDC MFA](/docs/oidc-provider-setup-for-opal-actions)**: Opal supports any OIDC provider, including Okta and Azure, as a MFA solution. Once configured, users will be able to use any MFA method that your OIDC provider supports, including WebAuthn (Yubikey, TouchID, etc.) and TOTP.

## Reset MFA for users

To reset MFA for an individual user, go to the **Inventory** > **Users** tab, then find the user detail page. Select the **...** dropdown on the upper right, then **Reset MFA for User**.

<img src="https://mintcdn.com/opalsecurity/KunPWigry5GIeB5g/images/docs/3baacd585e9372c052a5d8ce3fbbcd864931164562ecae5c6ad2bf727de6814f-reset-mfa.png?fit=max&auto=format&n=KunPWigry5GIeB5g&q=85&s=2702731793bba6c740046aeb1dd90704" alt="" width="2379" height="1188" data-path="images/docs/3baacd585e9372c052a5d8ce3fbbcd864931164562ecae5c6ad2bf727de6814f-reset-mfa.png" />

Follow the confirmation modal to finish resetting the user's MFA.

<img src="https://mintcdn.com/opalsecurity/KunPWigry5GIeB5g/images/docs/4cb856c8a488af2f88b255a9ab5bc317d06df55f1f2c37af4c3522cef5546c81-reset-confirmation.png?fit=max&auto=format&n=KunPWigry5GIeB5g&q=85&s=e3396004a01acc4e2bfc28d4a1d16466" alt="" width="2817" height="1205" data-path="images/docs/4cb856c8a488af2f88b255a9ab5bc317d06df55f1f2c37af4c3522cef5546c81-reset-confirmation.png" />