What’s step-up authentication?
When you enable step-up authentication for an approval step, users must complete additional identity verification before they can approve the request. This creates a clear security boundary and audit trail for critical actions. The flow works like this:- Users authenticate normally to access ConductorOne
- When attempting to approve sensitive requests, users are redirected to your identity provider
- The identity provider verifies the user with the required authentication factors (such as MFA)
- Upon verification, the approval is processed with an audit trail of the enhanced authentication
When to use step-up authentication
Consider enabling step-up authentication for approval workflows involving:- Administrative access (system admin, database admin roles)
- Production environment access
- Customer data access
- Financial systems access
- Critical infrastructure changes
- Privileged role assignments
Add a step-up authentication provider
ConductorOne supports two provider types:- OAuth2 providers (RFC 9470 compliant): Okta and other compliant providers
- Microsoft Entra: Uses Conditional Access policies or authentication contexts
Prerequisites
Before you configure step-up authentication, make sure you have:- The Super Administrator role in ConductorOne
- Administrator access to your identity provider (Okta or Microsoft Entra)
- The ability to create OAuth applications in your identity provider
- Microsoft Entra only: Microsoft Entra ID P1 or P2 license if using Conditional Access for MFA
1
Navigate to Admin > Settings > Step Up Authentication.
2
Click Add Step Up provider.
3
Select your provider type (OAuth2 or Microsoft Entra).
4
Complete the configuration fields for your provider.
Test your configuration
After configuring a provider, test it before using it in production:1
Click Test Step Up on the provider detail page.
2
Complete the authentication flow with your identity provider.
3
Verify you’re redirected back to ConductorOne with a success message.
Okta integration guide
Create an Okta application
1
Log in to your Okta Admin Dashboard.
2
Navigate to Applications > Applications.
3
Click Create App Integration.
4
Select OIDC - OpenID Connect and Web Application, then click Next.
5
Configure the application:
- Name: ConductorOne Step Up Authentication
- Grant type: Authorization Code
- Sign-in redirect URIs:
https://accounts.conductor.one/auth/callback - Controlled access: Select options based on your security requirements
6
Click Save.
7
Copy the Client ID and Client Secret for use in ConductorOne.
Configure Okta authentication policies
For granular control over authentication requirements:1
Navigate to Security > Authentication Policies.
2
Create a policy specifically for ConductorOne Step Up Authentication.
3
Define rules that require stronger authentication methods (such as MFA).
4
Assign the policy to your ConductorOne Step Up application.
Add Okta as a step-up provider
1
In ConductorOne, navigate to Admin > Settings > Step Up Authentication.
2
Click Add Step Up Provider.
3
Select OAuth2 (RFC 9470 compliant).
4
Enter the following details:
- Provider name: Okta Step Up
- Issuer URL: Your Okta domain (for example,
https://your-company.okta.com) - Client ID: The Client ID from your Okta application
- Client secret: The Client Secret from your Okta application
- ACR values: Select values based on your security requirements
Okta ACR values reference
Microsoft Entra integration guide
Microsoft Entra supports two validation modes for step-up authentication:- OIDC mode (Cloud Apps)
- ACRS mode (Authentication Contexts)
This approach uses Conditional Access policies targeting the ConductorOne Cloud App. It’s recommended for most deployments.
Part 1: Configure Microsoft Entra
Step 1: Create an app registration
1
Sign in to the Azure Portal and navigate to App registrations.
2
Click New registration.
3
Configure the application:
- Name: ConductorOne Step-Up Authentication
- Supported account types: Accounts in this organizational directory only (Single tenant)
- Redirect URI: Platform: Web, URI:
https://accounts.conductor.one/auth/callback
4
Click Register.
Step 2: Enable ID tokens
1
In your app registration, go to Manage > Authentication.
2
Under Implicit grant and hybrid flows, check ID tokens (used for implicit and hybrid flows).
3
Click Save.
OIDC mode requires an ID token in the token response. If you see “ID token not found in response,” confirm the request includes the
openid scope and that your chosen flow returns ID tokens (enable implicit/hybrid only if you explicitly use those flows).Step 3: Configure API permissions
1
Go to Manage > API permissions.
2
Click Add a permission and select Microsoft Graph.
3
Choose Delegated permissions and add:
openid, profile, email.4
Click Add permissions, then click Grant admin consent for your organization.
Step 4: Create a client secret
1
Navigate to Manage > Certificates & secrets.
2
Click New client secret.
3
Provide a description (for example, “ConductorOne Step-Up”) and select an expiration period.
4
Click Add.
5
Copy the secret value immediately—you won’t be able to view it again.
Set a calendar reminder to rotate the secret before it expires.
Step 5: Create a Conditional Access policy
1
In the Azure Portal, navigate to Microsoft Entra > Security > Conditional Access.
2
Click New policy.
3
Configure the policy:
- Name: Require MFA for ConductorOne Step-Up
- Users: Include users or groups who will use step-up authentication
- Target resources: Select Cloud apps, then choose the ConductorOne app registration you created
- Grant: Select “Grant access” and check Require multi-factor authentication
4
Set Enable policy to On and click Create.
Step 6: Gather configuration values
Collect these values from Azure:- Application (client) ID: Found in your app registration overview
- Client secret: The value you copied in Step 4
- Tenant ID: Located in Microsoft Entra > Overview
Part 2: Configure ConductorOne
1
Navigate to Admin > Settings > Step Up Authentication.
2
Click Add Step Up Provider and select Microsoft Entra.
3
Enter the configuration details:
- Provider name: Microsoft Entra MFA
- Issuer URL:
https://login.microsoftonline.com/{TENANT_ID}/v2.0(replace{TENANT_ID}with your tenant ID) - Client ID: Your Application (client) ID from Azure
- Client secret: The secret value from Step 4
- Validation mode: Select Require re-authentication (OIDC)
4
Save the configuration.
Troubleshooting
Enable step-up in policies
Once your provider is configured and tested, enable step-up authentication in your approval policies:1
Navigate to Policies in ConductorOne.
2
Edit an existing policy or create a new one.
3
For any approval step, enable Requires Step Up Authentication.
4
Select your configured provider from the dropdown.
5
Save the policy.
When step-up authentication is enabled for an approval step, auto-approval is automatically disabled since there’s no user to perform the additional authentication.
End-user experience
When a task requires step-up authentication for approval:- The task displays a “Requires Step Up Authentication” indicator.
- Instead of a standard Approve button, users see Approve with Step Up.
- Clicking this button redirects the user to the configured identity provider.
- The user completes the required authentication steps (such as MFA).
- Upon successful authentication, the user is returned to ConductorOne.
- The approval is processed and an audit trail is created.
Frequently asked questions
How does step-up authentication affect automated approvals? When step-up authentication is enabled for an approval step, automated approvals are automatically disabled since there’s no user to perform the additional authentication. What happens if a user doesn’t have MFA enabled in the identity provider? The behavior depends on your ACR values and provider policies. In Okta, if the ACR value isurn:okta:loa:2fa:any:ifpossible, the system will use MFA if available but proceed without it if not. With strict MFA requirements, users without MFA can’t complete the approval.
Can different policies use different step-up providers?
Yes. Each approval step can be configured with a different step-up provider, allowing you to require different authentication strengths for different types of approvals.
How does this work with SSO?
Step-up authentication works outside of the SSO flow. Users still authenticate via SSO initially, but are prompted for additional verification when performing sensitive approvals based on the configured policy.
What happens during identity provider outages?
If the identity provider is unavailable, users can’t complete the step-up authentication flow.
Does this feature support mobile applications?
Yes. The feature works on both web browsers and mobile devices using standard OAuth 2.0 redirect flows.
Which Microsoft Entra validation mode should I use?
For most deployments, OIDC mode (Cloud Apps approach) is recommended due to its simpler setup—you don’t need to create authentication contexts. Use ACRS mode (Authentication Contexts approach) if you need multiple authentication contexts for different scenarios or require the ACRS claim in the token for compliance purposes.