Skip to content

Okta Reference

This reference article describes an integration between Management Console and Okta's authentication software. The basic configuration principals should apply for most IDPs.

Okta Configuration

  1. Register for an account at Okta.com.

  2. Accept the multifactor authentication requirement.

  3. Sign in to your account.

  4. Create an application in Okta.

    1. From the top left accordion button, select the Applications menu and click Applications > Create App Integration.

    2. Select SAML2.0 sign on method then Next.

    3. Enter a name and optional logo (i.e. Management Console Vancouver) and select Next.

    4. Enter your SAML settings:

      • Single sign on URL: { MC IP Address }/login/saml2/sso/idp

        • Use this for Recipient URL and Destination URL: selected

        • Allow this app to request other SSO UIRLs: deselected

      • Audience URI: { MC IP Address }/saml2/service-provider-metadata/idp

      • Default Relay State: leave default (empty)

      • Name ID Format: leave default value Unspecified

      • Application username: leave default value Okta username

      • Response: Signed (default)

      • Update application username on: leave default value Create and update

      Okta SAML Settings

      Show Advanced Settings

      The defaults can be used unless you would like to use encrypted assertions. Encryption secures the assertion between the sender and receiver. See the caution note on Using encrypted assertions for configuration information on using Assertion Encryption. As of publication of this article, the advanced default settings are:

      • Assertion Signature: Signed (default)

      • Signature Algorithm: RSA-SHA256 (default)

      • Digest Algorithm: SHA256 (default)

      • Assertion Encryption: Unencrypted (default)

        Using encrypted assertions

        Encrypted assertions require you to upload the encryption certificate to Okta and is obtained by downloading it from the Management Console IDP Configuration tab. You cannot upload an encryption certificate that is expired, however if the expiry date is reached after it is being used, encryption assertions will continue to work as the expiry date is not monitored after implementation.

        Selecting Encrypted for the Assertion Encryption type displays additional settings which the defaults can be used. The additional settings are:

        • Encryption Algorithm set to AES256-CBC
        • Key Transport Algorithm set to RSA-OAEP

        Assertion Encrypted

      • Enable Single Logout: deselected (default)

      • Assertion Inline Hook: None(disabled) (default)

      • Authentication context class: PasswordProtectedTransport (default)

      • Honor Force Authentication: Yes (default)

      • SAML Issuer ID: http://www.Okta.com/${org.externalKey} (default)

Configuring FirstName and LastName

  1. Enter the following two attribute statements in the Attribute Statements (optional) section:

    • Name: firstName
      Name format: Unspecified
      Value: user.firstName

    • Name: lastName
      Name format: Unspecified
      Value: user.lastName

  2. Select Next.

  3. Answer Okta's support question to be able to select Finish on the next screen. Continue with next step obtaining IDP metadata file.

Obtaining IDP Metadata File

  1. From the Application settings Sign On tab, select the Identity Provided metadata link.

    IDP metatdata link

  2. Right click on the newly opened page containing the XML metadata and save the page. This file is used in the Management Console IDP configuration.

Okta Multi-factor Authentication

In this reference article, we will change the default to Duo as the application authenticator performing MFA as an example for you to follow in the event you are already using a different authenticator. By default, Okta enables multi-factor authentication (MFA) using their authenticator application.

MFA can be achieved using a variety of different methods to improve security Management Console sign in security. This article provides Okta configurations for the following MFA authentication types:

  • Email Authentication Configuration
  • SMS Authentication Configuration
  • Smart Card Authentication
  • DUO Authentication

Email Authentication Configuration

  1. From the Security tab, select Multifactor. You will be placed on the Factor Types setting tab.

  2. Select Email Authentication and click the Edit link.

  3. Select Active for Email Authentication and configure the token lifetime setting to comply with your corporate security policies.

  4. Click Save.

  5. Select the Factor Enrollment tab and select Edit.

  6. Update Assigned to groups and select Required for Email Authentication and click Update Policy.

  7. From the Applications window, select your appliance and then select the Sign On tab.

  8. Select Add Rule under Sign On Policy.

  9. Enter a rule name.

  10. Under the actions section, check Prompt for factor - Multifactor settings and select Every sign on and save. (You can configure other options to your corporate security policies)

SMS Authentication Configuration

  1. Navigate to the Security > Multifactor > SMS Authentication.

  2. Select Activate from the SMS Authentication drop down option.

  3. Select the Factor Enrollment tab.

  4. Select Edit and update Assigned to groups (use Everyone group for all users).

  5. Change SMS Authentication to Required for Eligible Factors.

  6. Add a sign on policy to Management Console.

    1. Navigate to Applications > Applications and select your Management Console application.

    2. Select the Sign On tab.

    3. Click on Add Rule button in the Sign On Policy section.

    4. Enter a Rule Name.

    5. Under the Actions section, check Prompt for factor - Multifactor settings and select Every sign on (Configure other options according to your corporate security policies).

    6. Ensure the drop down option for When all the conditions above are met, sign on to this application is: Allowed.

    7. Select Save.

    When an IDP user, attempts to sign into Management Console the user will be presented with a notice from the SSO provider (in this example Okta) that MFA is required.

    MFA Required Dialog

    The next screen will allow the IDP user to enter a cell number that will receive a code via SMS. Once the cell number is entered, another screen will allow the IDP user to verify the SMS code and if successful, they will be logged into Management Console.

Smart Card Authentication

The reference instructions for smart card authentication can be found here.

DUO Authentication

For this example we are using DUO as the MFA application to approve the Single Sign on.

  1. Sign up for a DUO account and log into your account.

  2. Navigate to Applications > Protect an Application.

  3. Locate Okta and select the Protect button.

  4. Copy your Integration key, Secret key, and API hostname to use in your Okta configuration. Destroy your copied versions after you finish your configuration.

Okta Configuration

  1. From the Okta dashboard navigate to Security > Multifactor.

  2. Select Duo Security and click on the Edit link.

  3. Enter the Integration key, Secret key, and API hostname appropriately and use the name format used to log in to Okta.

  4. Activate Duo Security from the drop down option and select Save.

  5. Navigate to Security > Authentication and select the Sign On tab.

  6. Select Default Policy, and then select the Add Rule button.
    You can either add a new rule for Duo Authentication to an existing Okta sign-on policy, or create a new policy for Duo and assign it to specific groups. In this example, we'll turn on Duo for all users in the Default Policy.

    1. Enter a descriptive rule name.

    2. Leave defaults and ensure Prompt for Factor is checked along with the Every Time option.

    3. Select Create Rule.

User Management

To assign users to the Management Console application in Okta perform the following steps.

  1. Login to Okta and navigate to Directory > People and click the Add person button, fill in the fields and click Save.

    Okta Add Person

    Okta Add Person Details

  2. Navigate to Applications, click the Assign button and click the Assign link beside the people you want to assign Management Console too.

    Okta Assign to MC

    Okta Assign MC to Users

Session Time Out

Set session timeout rules to groups in Okta.

  1. Navigate to Security > Authentication and select the Sign On tab.

  2. Click the Add New Okta Sign-on Policy button, enter a policy name and click Create Policy and Add Rule.

    Okta Add Policy

  3. Enter a rule name, set the session expiry and select Create Rule.

    Okta Add Rule

  4. Verify the configuration is active.

    Okta View Policy Signon Rule Timeout