Skip to main content

Documentation Index

Fetch the complete documentation index at: https://conductorone-ian-account-to-user-pipeline.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

Early access. This feature is in early access, which means it’s undergoing ongoing testing and development while we gather feedback, validate functionality, and improve outputs. Contact the C1 Support team if you’d like to try it out or share feedback.

What’s step-up authentication?

Step-up authentication enhances your approval workflows by requiring approvers to re-authenticate with stronger verification before they can approve sensitive requests. Instead of relying solely on a user’s initial session, C1 issues a fresh authentication challenge at the moment of approval, creating a clear security boundary and audit trail for critical actions. The flow works like this:
  1. Users authenticate normally to access C1
  2. When attempting to approve sensitive requests, users are redirected to your identity provider
  3. The identity provider verifies the user with the required authentication factors (such as MFA)
  4. Upon verification, the approval is processed with an audit trail of the enhanced authentication
C1 implements the RFC 9470 OAuth 2.0 Step Up Authentication Challenge Protocol, which means each approval requiring step-up authentication generates a new authentication challenge. In other words, authentication state isn’t cached between approvals.

When to use step-up authentication

Consider enabling step-up authentication for approval workflows involving:
  • Administrative access (system admin, database admin roles)
  • Production environment access
  • Customer data access
  • Financial systems access
  • Critical infrastructure changes
  • Privileged role assignments

Before you begin

Confirm that you have:
  • The Super Administrator role in C1
  • Administrator access to your identity provider (Okta or Microsoft Entra)
  • The ability to create OAuth applications in your identity provider
  • Microsoft Entra only: Microsoft Entra ID P1 or P2 license if using Conditional Access for MFA

Add a step-up authentication provider

Step-up authentication is currently not supported for approvals made through Slack, Teams, or the cone CLI.
C1 supports two provider types:
  • OAuth2 providers (RFC 9470 compliant): Okta and other compliant providers
  • Microsoft Entra: Uses Conditional Access policies or authentication contexts

Okta integration guide

Configure Okta to act as your step-up authentication provider by creating a dedicated app integration and setting up the appropriate authentication policies.

Create an Okta application

1
Sign in to your Okta Admin Dashboard.
2
Navigate to Applications > Applications.
3
Click Create App Integration.
4
Select OIDC - OpenID Connect and Web Application, then click Next.
5
Configure the application:
  • Name: C1 Step Up Authentication
  • Grant type: Authorization Code
  • Sign-in redirect URIs: https://accounts.conductor.one/auth/callback
  • Controlled access: Select options based on your security requirements
6
Click Save.
7
Copy the Client ID and Client Secret for use in C1.

Configure Okta authentication policies

For granular control over authentication requirements:
1
Navigate to Security > Authentication Policies.
2
Create a policy specifically for C1 Step Up Authentication.
3
Define rules that require stronger authentication methods (such as MFA).
4
Assign the policy to your C1 Step Up application.

Add Okta as a step-up provider

1
In C1, navigate to Admin > Integrations > Step up auth.
2
Click Add step-up provider.
3
Select OAuth2 (RFC 9470 compliant).
4
Enter the following details:
  • Provider name: Okta Step Up
  • Issuer URL: Your Okta domain (for example, https://your-company.okta.com)
  • Client ID: The Client ID from your Okta application
  • Client secret: The Client Secret from your Okta application
  • ACR values: Select values based on your security requirements

Okta ACR values reference

ACR valueDescriptionSecurity level
urn:okta:loa:1fa:anyAny single-factor authenticationLow
urn:okta:loa:1fa:pwdPassword authenticationLow
urn:okta:loa:2fa:anyAny multi-factor authenticationMedium
urn:okta:loa:2fa:any:ifpossibleMFA if availableMedium
phrPhishing-resistant authenticationHigh
phrhPhishing-resistant hardwareVery high
For general approvals with moderate sensitivity, use urn:okta:loa:2fa:any. For highly sensitive approvals like admin rights, use phr or phrh. For testing or gradual rollout, try urn:okta:loa:2fa:any:ifpossible.

Microsoft Entra integration guide

Microsoft Entra supports two validation modes for step-up authentication:
Validation modeHow it worksBest for
OIDC (Require re-authentication)Uses OAuth max_age to force re-authentication. Pair with a Conditional Access policy targeting the Cloud App to require MFA.Simpler setup, most deployments
ACRS (Require authentication context)Uses Microsoft’s Authentication Context Class References. Requires creating authentication contexts and targeting them with Conditional Access policies.Granular control, multiple authentication levels
This approach uses Conditional Access policies targeting the C1 Cloud App. It’s recommended for most deployments.

Part 1: Configure Microsoft Entra

Step 1: Create an app registration

1
Sign in to the Azure Portal and navigate to App registrations.
2
Click New registration.
3
Configure the application:
  • Name: C1 Step-Up Authentication
  • Supported account types: Accounts in this organizational directory only (Single tenant)
  • Redirect URI: Platform: Web, URI: https://accounts.conductor.one/auth/callback
4
Click Register.

Step 2: Enable ID tokens

1
In your app registration, go to Manage > Authentication.
2
Under Implicit grant and hybrid flows, check ID tokens (used for implicit and hybrid flows).
3
Click Save.
OIDC mode requires an ID token in the token response. If you see “ID token not found in response,” confirm the request includes the openid scope and that your chosen flow returns ID tokens (enable implicit/hybrid only if you explicitly use those flows).

Step 3: Configure API permissions

1
Go to Manage > API permissions.
2
Click Add a permission and select Microsoft Graph.
3
Choose Delegated permissions and add: openid, profile, email.
4
Click Add permissions, then click Grant admin consent for your organization.

Step 4: Create a client secret

1
Navigate to Manage > Certificates & secrets.
2
Click New client secret.
3
Provide a description (for example, “C1 Step-Up”) and select an expiration period.
4
Click Add.
5
Copy the secret value immediately. You won’t be able to view it again.
Set a calendar reminder to rotate the secret before it expires.

Step 5: Create a Conditional Access policy

1
In the Azure Portal, navigate to Microsoft Entra > Security > Conditional Access.
2
Click New policy.
3
Configure the policy:
  • Name: Require MFA for C1 Step-Up
  • Users: Include users or groups who will use step-up authentication
  • Target resources: Select Cloud apps, then choose the C1 app registration you created
  • Grant: Select “Grant access” and check Require multi-factor authentication
4
Set Enable policy to On and click Create.

Step 6: Gather configuration values

Collect these values from Azure:
  • Application (client) ID: Found in your app registration overview
  • Client secret: The value you copied in Step 4
  • Tenant ID: Located in Microsoft Entra > Overview

Part 2: Configure C1

1
Navigate to Admin > Integrations > Step up auth.
2
Click Add step-up provider and select Microsoft Entra.
3
Enter the configuration details:
  • Provider name: Microsoft Entra MFA
  • Issuer URL: https://login.microsoftonline.com/{TENANT_ID}/v2.0 (replace {TENANT_ID} with your tenant ID)
  • Client ID: Your Application (client) ID from Azure
  • Client secret: The secret value from Step 4
  • Validation mode: Select Require re-authentication (OIDC)
4
Save the configuration.

Troubleshooting

IssueSolution
”ID token not found in response”Enable ID tokens in the app’s Authentication settings (Step 2)
MFA not being enforcedVerify the Conditional Access policy is enabled and targets the correct Cloud App

Test your configuration

After configuring a provider, test it before using it in production:
1
From the Step-up authentication providers page, click the (more actions) menu next to your provider and select Test.
2
Complete the authentication flow with your identity provider.
3
Verify you’re redirected back to C1 with a success message.
Successful tests update the “Last tested” timestamp on the provider.

Enable step-up in policies

Once your provider is configured and tested, enable step-up authentication in your approval policies:
1
Navigate to Policies in C1.
2
Edit an existing policy or create a new one.
3
For any approval step, enable Requires Step Up Authentication.
4
Select your configured provider from the dropdown.
5
Save the policy.

End-user experience

When a task requires step-up authentication for approval:
  1. The task displays a “Requires Step Up Authentication” indicator.
  2. Instead of a standard Approve button, users see Approve with Step Up.
  3. Clicking this button redirects the user to the configured identity provider.
  4. The user completes the required authentication steps (such as MFA).
  5. Upon successful authentication, the user is returned to C1.
  6. The approval is processed and an audit trail is created.

Frequently asked questions about step-up authentication

When step-up authentication is enabled for an approval step, automated approvals are automatically disabled since there’s no user to perform the additional authentication.
The behavior depends on your ACR values and provider policies. In Okta, if the ACR value is urn:okta:loa:2fa:any:ifpossible, the system will use MFA if available but proceed without it if not. With strict MFA requirements, users without MFA can’t complete the approval.
Yes. Each approval step can be configured with a different step-up provider, allowing you to require different authentication strengths for different types of approvals.
Step-up authentication works outside of the SSO flow. Users still authenticate via SSO initially, but are prompted for additional verification when performing sensitive approvals based on the configured policy.
If the identity provider is unavailable, users can’t complete the step-up authentication flow.
Yes. The feature works on both web browsers and mobile devices using standard OAuth 2.0 redirect flows.
For most deployments, OIDC mode (Cloud Apps approach) is recommended due to its simpler setup — you don’t need to create authentication contexts. Use ACRS mode (Authentication Contexts approach) if you need multiple authentication contexts for different scenarios or require the ACRS claim in the token for compliance purposes.