BEST PRACTICES GUIDE MFA INTEGRATION WITH OKTA

Similar documents
BEST PRACTICES GUIDE RSA MIGRATION MODULE

VAM. Epic epcs Value-Added Module (VAM) Deployment Guide

All about SAML End-to-end Tableau and OKTA integration

VAM. ADFS 2FA Value-Added Module (VAM) Deployment Guide

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. PingIdentity PingFederate 8

SSO Integration Overview

Directory Integration with Okta. An Architectural Overview. Okta Inc. 301 Brannan Street San Francisco, CA

Using Your Own Authentication System with ArcGIS Online. Cameron Kroeker and Gary Lee

RSA SecurID Ready Implementation Guide. Last Modified: December 13, 2013

Secure single sign-on for cloud applications

Integration Patterns for Legacy Applications

RECOMMENDED DEPLOYMENT PRACTICES. The F5 and Okta Solution for High Security SSO

SecureAuth IdP Realm Guide

VAM. Radius 2FA Value-Added Module (VAM) Deployment Guide

Introduction. SecureAuth Corporation Tel: SecureAuth Corporation. All Rights Reserved.

Add OKTA as an Identity Provider in EAA

Enabling Single Sign-On Using Microsoft Azure Active Directory in Axon Data Governance 5.2

Using Microsoft Azure Active Directory MFA as SAML IdP with Pulse Connect Secure. Deployment Guide

SafeNet Authentication Service

Webthority can provide single sign-on to web applications using one of the following authentication methods:

SafeNet Authentication Service

Integrating the YuJa Enterprise Video Platform with Dell Cloud Access Manager (SAML)

ShareFile Technical Presentation

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Better MDM

BIDMC Multi-Factor Authentication Enrollment Guide Table of Contents

ServiceNow Deployment Guide

Integration Guide. PingFederate SAML Integration Guide (SP-Initiated Workflow)

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Pulse Connect Secure 8.x

REVIEWERS GUIDE NOVEMBER 2017 REVIEWER S GUIDE FOR CLOUD-BASED VMWARE WORKSPACE ONE: MOBILE SINGLE SIGN-ON. VMware Workspace ONE

IAG Second Factor Delivery Methods

Configuring Single Sign-on from the VMware Identity Manager Service to Marketo

User Directories. Overview, Pros and Cons

SafeNet Authentication Manager

Five9 Plus Adapter for Agent Desktop Toolkit

Today s workforce is Mobile. Cloud and SaaSbased. are being deployed and used faster than ever. Most applications are Web-based apps

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for Okta

VAM. CAS Installer (for 2FA) Value- Added Module (VAM) Deployment Guide

Integrating VMware Workspace ONE with Okta. VMware Workspace ONE

TECHNICAL GUIDE SSO SAML Azure AD

Integrating YuJa Active Learning into Google Apps via SAML

Qualys SAML 2.0 Single Sign-On (SSO) Technical Brief

VMware Identity Manager Administration. MAY 2018 VMware Identity Manager 3.2

REVISED 6 NOVEMBER 2018 COMPONENT DESIGN: VMWARE IDENTITY MANAGER ARCHITECTURE

Upland Qvidian Proposal Automation Single Sign-on Administrator's Guide

OneLogin Integration User Guide

Udemy for Business SSO. Single Sign-On (SSO) capability for the UFB portal

Okta Integration Guide for Web Access Management with F5 BIG-IP

VMware Identity Manager Administration

Enabling Single Sign-On Using Okta in Axon Data Governance 5.4

API Security Management with Sentinet SENTINET

Integration of the platform. Technical specifications

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

SafeNet Authentication Service

Azure Multi-Factor Authentication. Technical Note

Integrating AirWatch and VMware Identity Manager

Google Auto User Provisioning

ComponentSpace SAML v2.0 Okta Integration Guide

Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE

API Security Management SENTINET

Contents. Multi-Factor Authentication Overview. Available MFA Factors

McAfee Cloud Identity Manager

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

DATACENTER MANAGEMENT Goodbye ADFS, Hello Modern Authentication! Osman Akagunduz

Administering Workspace ONE in VMware Identity Manager Services with AirWatch. VMware AirWatch 9.1.1

SAML-Based SSO Configuration

Entrust PartnerLink Login Instructions

SafeNet Authentication Service

SafeNet Authentication Service

Box Connector. Version 2.0. User Guide

Configure Unsanctioned Device Access Control

Double up on security for Active Directory and cloud app authentication

Integrating YuJa Active Learning into ADFS via SAML

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

SAP Security in a Hybrid World. Kiran Kola

VAM. PeopleSoft Value-Added Module (VAM) Deployment Guide

SafeNet Authentication Service

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Citrix NetScaler Gateway 12.0

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

Protecting SugarCRM with SafeNet Authentication Manager

Quick Connection Guide

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

13241 Woodland Park Road, Suite 400 Herndon, VA USA A U T H O R : E X O S T A R D ATE: M A R C H V E R S I O N : 3.

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

Configuring and Delivering Salesforce as a managed application to XenMobile Users with 3 rd Party SAML IDP (Identity Provider)

Related Labs: Introduction to Universal Access and F5 SAML IDP (Self-paced)

Workday Deployment Guide Version 4.0

White Paper. The North American Electric Reliability Corporation Standards for Critical Infrastructure Protection

About This Document 3. Overview 3. System Requirements 3. Installation & Setup 4

SafeNet Authentication Service

INTEGRATING OKTA: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

Hybrid Identity de paraplu in de cloud

ManageEngine ADSelfService Plus

Single Sign-On (SSO)Technical Specification

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

Zendesk Connector. Version 2.0. User Guide

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for PingFederate

RSA SecurID Access SAML Configuration for Datadog

Cloud Secure Integration with ADFS. Deployment Guide

Connect Authenticate

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. CyberArk Enterprise Password Vault

Transcription:

BEST PRACTICES GUIDE MFA INTEGRATION WITH OKTA BEST PRACTICES GUIDE

TABLE OF CONTENTS Introduction... 3 Use Case 1: Okta Inbound SP SAML with Active Directory User Store... 4 Flow 1: Standard SP-Initiated Login URL...4 Flow 2: Forms Login URL... 5 Flow 1: Standard SP-Initiated Login URL...5 Required Okta Customizations...6 Use Case 2: Okta Inbound SP SAML with Okta UserStore... 7 Flow 1: Standard SP-Initiated Login URL...7 Flow 2: Forms Login URL...8 Required Okta Customizations...9 Required SecureAuth IdP Customizations...10 Use Case 3: Okta API Integration with SecureAuth... 11 Standard Okta Login URL...11 Required Okta Customizations...12 Use Case 4: Okta On-Premise Agent Multi-Factor Integration with SecureAuth... 13 Standard Okta Login URL Flow...13 Required Okta Customizations...14 Summary... 15 2

Introduction Running SecureAuth IdP multi-factor authentication (MFA) with Okta is seamless and easily implemented. Okta has the ability to act as a service provider for an external IdP and can consume users from active directory if required via Just-in-time (JIT) provisioning. Okta provides an SP init saml for its main authentication page. This means you can configure Okta to redirect to an outside IdP for initial authentication for any user. Okta has one limitation for this integration that would need to be rectified before moving forward with this integration. Currently, Okta still allows for authentication to the main Okta forms authentication page; Okta would need to block authentication for any given sub-domain and redirect users after the Submit button is pressed. Okta has APIs to access profile data and validate user information that would enable SecureAuth to utilize Oktaspecific profile and membership data when authenticating an on-premise user to the customer s environment during an SP init saml transaction for all Okta- specific users. SecureAuth has performed a similar integration with Azure enabling access to Azure-specific data for on-premise user validation of off-premise data. Alternatively, SecureAuth offers a suite of APIs that can be accessed from the Okta interface, using either local Okta membership and profile data, or on-premise Active Directory data, if needed. This second option can be used if a tighter integration with the Okta cloud application is required. Okta currently has integrations with on-premise RSA tokens and other vendors with a similar function. SecureAuth IdP can be integrated in a like manner using our adaptive, authentication, and IDM APIs. What follows are a series of use cases, indicating how each scenario would be implemented together with Okta / SecureAuth IdP customizations that must be implemented in order to make each use case functional. 3

Use Case 1: Okta Inbound SP SAML with Active Directory User Store This use case describes the preferred and best practices for integration of SecureAuth IdP Login and MFA with Okta SSO using Active Directory credentials. This use case could be utilized if a customer wanted to use all SecureAuth IdP multi-factor options, adaptive authentication features, APIs, IDM features, authentication protocols, SSO integration capabilities, and Okta SSO function, on-premise directory data such as Active Directory, Okta Group Management, and Okta APIs. For an illustration of this process, refer to Figure 1, Internal Active Directory Flow, on page 5. Two possible flows are described together with the Okta customization required to implement them. Flow 1: Standard SP-Initiated Login URL 1. User attempts to access Okta login via a typical well-know Okta sub-domain URL. 2. User is redirected to SecureAuth with a valid SAML request. 3. User performs a standard userid password and MFA at the SecureAuth login. 4. Data is pulled and validated from Active Directory. 5. User is redirected back to Okta with a valid SAML assertion and allowed access to the Okta portal with the relevant applications. A further discussion of this process is provided in https://vootsy.oktapreview.com 4

Flow 2: Forms Login URL This use case describes the preferred and best practices for integration of SecureAuth Login and MFA with Okta SSO using Active Directory credentials. This use case could be utilized if a customer wanted to use all SecureAuth multi-factor options, SecureAuth adaptive authentication features, SecureAuth APIs, SecureAuth IDM features, SecureAuth authentication protocols, SecureAuth SSO integration capabilities, Okta SSO function, on-premise directory data such as Active Directory, Okta Group Management, and Okta APIs. For an illustration of this process, refer to Figure 1, Internal Active Directory Flow, on page 5. Two possible flows are described together with the Okta customization required to implement them. Flow 1: Standard SP-Initiated Login URL 1. User attempts to access direct forms login via a well-known link. 2. User enters the userid into email address field of Okta login. 3. Okta detects that the user belongs to an SP init SAML-enabled sub-domain in a proper SAML group. 4. User is redirected to SecureAuth IdP with valid SAML request. 5. User performs a standard userid password and MFA at the SecureAuth IdP login. 6. Data is pulled and validated from the Active Directory. 7. User is redirected back to Okta with a valid SAML assertion and allowed access to an Okta portal with available applications DMZ Active Directory SecureAuth IdP Okta Figure 1. Internal Active Directory Flow A further discussion of this process is provided in https://vootsy.oktapreview.com/login/default 5

Required Okta Customizations Okta would need to customize the outbound SAML configuration to add a check box that disables login for specific groups as well as a field to indicate the groups (this field should support multiple groups). This would allow Okta to still maintain the default forms logins for administrators and other groups as well (refer to Figure 2, Okta Configuration Modification (Outbound SAML), on page 6). Figure 2. Okta Configuration Modification (Outbound SAML) Okta would also need to customize the main default login to search for users of a specific sub- domain in a specific group, and, if detected, redirect to the selected IdP as shown in Figure 3. This is standard practice for Salesforce SP, Google SP, Microsoft Azure, and SecureAuth SAML Consumer SP, and is a widely-used procedure when utilizing SP initiation to avoid allowing users to go around a selected IdP. Figure 3. Okta Login Modification 6

Use Case 2: Okta Inbound SP SAML with Okta UserStore This use case details the preferred and best practice for combining SecureAuth Login and MFA with Okta using Okta data store-specific credentials. For an illustration of this process, refer to Figure 4, External Okta Data Store Flow via API Connection, on page 8. This use case would be used if the customer wanted to use all SecureAuth multi-factor options, SecureAuth adaptive authentication features, SecureAuth APIs, SecureAuth IDM features, SecureAuth authentication protocols, SecureAuth SSO integration capabilities, Okta SSO function, Okta SSO user data, Okta group management, and Okta APIs. Flow 1: Standard SP-Initiated Login URL 1. User attempts to access Okta login via a typical well-known Okta sub-domain URL. 2. User is redirected to SecureAuth with a valid SAML request. 3. User performs a standard userid password and MFA at the SecureAuth login. 4. User data and multi-factor data is validated and retrieved via API from the specified Okta sub-domain. 5. User is redirected back to Okta with a valid SAML assertion and allowed access to the Okta portal with one or more applications. A further discussion of this process is provided in https://vootsy.oktapreview.com/login/default 7

Flow 2: Forms Login URL 1. User attempts to access direct forms login via a well-known link. 2. User enters userid into the email address field of the Okta login. 3. Okta detects that the user belongs to SP init SAML-enabled sub-domain and a proper SAML group. 4. User is redirected to SecureAuth IdP with a valid SAML request. 5. User performs standard userid password and MFA at the SecureAuth IdP login. 6. User data and multi-factor data is validated and retrieved via API from the designated Okta sub-domain. 7. User is redirected back to Okta with a valid SAML assertion and allowed access to the Okta portal with the required applications. DMZ SecureAuth IdP Okta Data Store Okta Figure 4. External Data Store Flow via APA Connection A further discussion of this process is provided in https://vootsy.oktapreview.com/login/default 8

Required Okta Customizations In the preceding use case, Okta would need to customize the outbound SAML configuration to include a check box to disable login for specific groups and also add a field to specify one or more required groups (this field should allow for multiple groups). This would enable Okta to maintain the default forms logins for administrators and other groups as well as shown in Figure 5, Okta Configuration Modification (Outbound SAML), on page 9. Figure 5. Okta Configuration Modification (Outbound SAML) Okta would also need to customize the main default login to look for users of a specific sub- domain in a specific group, and if detected, the user could be redirected to the selected IdP. This is standard practice for Salesforce SP, Google SP, Microsoft Azure, and SecureAuth SAML Consumer SP, and is a widely-used procedure when utilizing SP initiation to avoid allowing users to go around a selected IdP. Figure 6. Okta Login Modification 9

Required SecureAuth IdP Customizations SecureAuth IdP would need to create a custom Membership and Profile provider that could access Okta s user data via API. For an example of this, refer to Figure 7, SecureAuth Directory Membership and Profile Modification, on page 10. This is a standard modification and would take roughly 40 hours to complete. Figure 7. SecureAuth IdP Directory Membership and Profile Modification 10

Use Case 3: Okta API Integration with SecureAuth This use case discusses the preferred and best practice for Okta logins that use SecureAuth Adaptive, Authentication, and IDM APIs. This integration would be used if the customer wanted all configuration and authentication options in Okta but still wanted to use SecureAuth MFA, adaptive authentication, and fingerprinting features. Standard Okta Login URL This process considers a standard Okta login URL. 1. User attempts to access an Okta login via a typical well-know Okta sub-domain URL. 2. User is prompted for the Okta userid and password. 3. User is prompted for SecureAuth API-driven 2-factor authentication via the Okta interface. 4. User data and multi-factor data is validated and retrieved via API from the specified Okta sub-domain or from an on-premise Active Directory. 5. User is allowed access to Okta and its portal applications. An illustration of this process is shown in Figure 8. Okta DMZ Okta Data Store Active Directory SecureAuth IdP Figure 8. Okta authentication Utilizing SecureAuth APIs A further discussion of this process is provided in https://vootsy.oktapreview.com/login/default 11

Required Okta Customizations Due to the number of modifications required for this use case, this customization should be left up to Okta. However, several possible settings are needed, as indicated in the following code. { } Enablelogs : true, ValidationURL1 : https://localhost/secureauth21, ValidationURL2 : https://localhost/secureauth21, ManagementUIFriendlyName : SecureAuthAdapter, LogsPath : C:\SecureAuthAdapter\Logs, AppID : 566adfff8ac84fef9c5c5704e2cc41dc, AppKey : a2f5b0f61e8c77872d9f71733e6e156a703aa9be57711ca5d5b5163f5be72246, SecureAuthRealmUrl : https://172.16.19.25/secureauth10/, phoneimageurl : http://vm-oc1-cd0505.sacustom.local/adfsimages/phoneadapter.jpg, smsimageurl : http://vm-oc1-cd0505.sacustom.local/adfsimages/smsadapter.jpg, emailimageurl : http://vm-oc1-cd0505.sacustom.local/adfsimages/emailadapter.jpg, progressgifurl : http://vm-oc1-cd0505.sacustom.local/adfsimages/301.gif, emailprop : Email1, smsprop : Phone1, phoneprop : Phone1, enablephone : true, enablesms : true, enableemail : true, disablessl : true An example of one possible interface derived from this code is shown in Figure 9. Figure 9. Possible User Interface for SecureAuth API Multi-Factor 12

Use Case 4: Okta On-Premise Agent Multi-Factor Integration with SecureAuth This use case discusses an Okta login using on-premise MFA RADIUS connection to SecureAuth IdP for soft token validation. Customers would use this feature if it were required to validate SecureAuth IdP hard tokens with RADIUS. Standard Okta Login URL Flow The following steps describe the flow that would be required for a standard Okta Login using a RADIUS server. See an illustration of this flow in Figure 10. 1. User attempts to access Okta login via a typical well-known Okta sub-domain URL. 2. User is prompted for Okta userid and password. 3. User is prompted to enter SecureAuth IdP soft token as a second factor. 4. The soft token is validated via SecureAuth IdP RADIUS server. 5. User is allowed access to Okta and portal applications. Okta DMZ Okta Data Store Active Directory SecureAuth Id Radius Figure 10. Okta On-Premise MFA Agent RADIUS A further discussion of this process is provided in https://vootsy.oktapreview.com/login/default 13

Required Okta Customizations Okta s On-Premise MFA Agent should support standard RADIUS User + Passcode as shown in Figure 11. Figure 11. Sample Okta Setup On-Prem MFA Verification Screen 14

Summary Using the strategies detailed in this guide, customers who already employ Okta can integrate SecureAuth IdP into their existing security environment, providing an even richer set of tools for creating secure, state-of-the-art MFA flows. 15

2018 SecureAuth Corporation. All Rights Reserved. www.secureauth.com SecureAuth IdP is a trademark of SecureAuth Corporation in the United States and/or other countries. 16

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback