Guides/
Single Sign-On (SSO)/
MFA

<span>Enforcing MFA for Your SSO with PayPal</span>

MFA - Multi-Factor Authentication for Your SSO with PayPal

What is MFA, and why is it Important?AnchorIcon

Multi-Factor Authentication (MFA) is a security requirement for connecting to PayPal through SSO. It ensures that users confirm their identity using at least two independent types of proof:

  • Something you know (Knowledge): for example, password, PIN, security question
  • Something you have (Possession): for example, an authenticator app, YubiKey, a mobile phone
  • Something you are (Inherence): for example, fingerprint, facial recognition, voice ID

If your SAML response does not contain two valid MFA factors, PayPal Braintree reserves the right to reject the login to comply with regulatory and industry security standards. The SAML assertion must include an amr field ("authentication method reference") with values of mfa and pwd.

Steps by Identity ProviderAnchorIcon

OktaAnchorIcon

1. Enforce MFA for the AppAnchorIcon

  1. In the Okta Admin Console, go to: Security → Authentication Policies
  2. Assign or create an authentication policy that requires MFA for your SAML application.
  3. Attach the policy to your custom or OIN SAML app integration.

2. Add the Dynamic amr Attribute StatementAnchorIcon

  1. In your SAML app integration, go to the General tab.
  2. Scroll to SAML Settings and select Edit.
  3. Select Next until you reach the Attribute Statements (Optional) section.
  4. Add a new attribute statement:
    • Name: amr
    • Name format: Unspecified
    • Value: session.amr
  5. Save your changes.

OneLoginAnchorIcon

1. Enforce MFA for the Braintree SSO AppAnchorIcon

  1. Go to Security → Policies.
  2. Create or modify your policy for users of the Braintree SSO app.
  3. Under Authentication Factors, select the required MFA methods (for example, OTP, push, and so on).
  4. Assign this policy to all users/groups who will access Braintree.

2. Add the amr AttributeAnchorIcon

  1. Open the Parameters tab in your Braintree SSO app’s setup in OneLogin.
  2. Select Add Parameter.
  3. Name: amr
  4. Value: mfa
  5. Ensure Include in SAML assertion is selected.

With MFA enforced for all users, the SAML response will always include amr: mfa when access is attempted.

Microsoft EntraAnchorIcon

  • Microsoft passes MFA attributes by default.
  • Ensure you’ve set up a conditional access policy on the Braintree SAML app in Entra that only allows access to MFA-enabled users.

Example Attribute:

<Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences">
    <AttributeValue>
        http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password
    </AttributeValue>
    <AttributeValue>
        http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/phone
    </AttributeValue>
    <AttributeValue>
        http://schemas.microsoft.com/claims/multipleauthn
    </AttributeValue>
</Attribute>

Other Identity ProvidersAnchorIcon

  • If you do not use Okta or Microsoft Entra, check with your Identity Provider to add the amr attribute in the SAML response.
  • Braintree will not allow users to log in unless the SAML response contains the amr attribute with both mfa and pwd values.

Accepted pattern by Braintree:

<Attribute Name="amr">
    <AttributeValue>pwd</AttributeValue>
    <AttributeValue>mfa</AttributeValue>
</Attribute>