Create custom authentication with the Access Orchestrator

This topic describes how to create custom authentication with a visual editor called Access Orchestrator enabling you to replicate authentication rules from policy to policy or web app to web app.

You can increase compliance with your organization's Multi-factor Authentication (MFA) policies. Different combinations of authentication challenges produce different Authenticator Assurance level (AAL) scores. Higher scores indicate a more secure combination of challenges. The Access Orchestrator enables you to enforce combinations of challenges. This increases your ability to create complex access flows and MFA profiles with AAL scores that align with best practices recommended in NIST SP 800-63b guidelines.

Our AAL related features do not guarantee compliance with NIST guidelines. Refer to for additional detail about NIST guidelines.

Before you begin

Review Design report queries based on Authenticator Assurance Level (AAL) to learn more about AAL scoring for different combinations of authentication challenges. You can use this information to plan which authentication challenges you want to use when you create access requests.

Some authentication mechanisms require additional configurations before users can authenticate using those mechanisms. Make sure your users complete the configuration requirements for any mechanism you plan to use. Refer to Manage adaptive MFA for more detail.

Create custom access orchestration

The following topics describe how to create and apply an access orchestration with the Access Orchestrator.

You can create different types of access orchestration that are appropriate for the resources you are trying to secure.

For example, you can create access orchestration where if the first challenge is a memorized secret such as a password, then the second challenge must be either a single-factor cryptographic device, an out-of-band device, or a single-factor OTP device. This results in an AAL score of AAL2. Other options for creation include a custom rule-based access request based on the day of the week, secured zones and more.

You can choose from the following options to create custom access orchestration:

Access orchestration type


Web App

The Web App option enables you to create a rule-based access orchestration to launch Web Apps with the use of logic and authentication profiles.

User Portal

The User Portal option enables you to create a rule-based access orchestration to apply to the login process with the use of logic and authentication profiles.


The Authentication option enables you to create an authentication profile to achieve a desired compliance level with the use of challenges and logic.

In this section: