Sitemap

Integrating with OKTA

(Versions 7+)

Pleasant Password Server can integrate with OKTA which will provide various methods of Two Factor Authentication (2FA).

Supported Authentication Types:

 

  • OKTA Verify (a token that runs on most smartphone platforms)
  • OKTA Verify Push (an OKTA SMS interacts with token that runs on most smartphone platforms)
  • OKTA SMS (a text that is sent to a phone (smartphone not required in this scenario))
  • OKTA Security questions (configured in the portal.  Designed to address lost/discharged phones)

 

  •  
    • Warning: Be careful when setting Two Factor Required, as it could prevent users from logging in unless:
      • Their accounts can be self-enrolled, or,
      • they have been individually configured to use at least one 2FA provider (eg. Authenticator Apps).

    • If users have already been locked out, please Contact us!

 

RADIUS

OKTA doesn’t support RADIUS natively. 

  • However, an OKTA RADIUS agent can be installed on a 2008 server (potentially new server versions as well) 
  • A VPN configuration can forward the RADIUS server requests as SSL requests to OKTA cloud based authentication servers.

Example Setup

Below is an example of how OKTA interacts with a Cisco ASA VPN for Anyconnect RADIUS authentication protocol.

 
OKTA RADIUS server agent Authentication Flow

 

The configuration for OKTA is broken into sections: Group Setup and User Setup.

 

Group Setup

  • Sign into OKTA as an Admin
  • Click Admin button in upper right 

OKTA Admin Login

  • Click Security -> Multi-factor from the top menu. 

  • Pick the types of MFA you want OKTA to support. 

Factor Types

  •   Next Choose Multi-factor Policies.  Adding OKTA Verify to this list makes it an available option later in the configuration.

Multifactor Policies

  • Next click Security ->Policies. 

    • These policies are processed sequentially and stopped at the 1st match.  That is why the RADIUS rules were moved to the top since that protocol is new and would not impact any logic in the legacy or default policies below.
  • 2 new policies were added.  The 1st Policy defines which groups a user needs to be a member of IN ADDITION TO having a valid OKTA verify token.

 

Sign On Policies 

  • The rule logic is shown below.  It says if you are using RADIUS Authentication AND are a member of a group listed in the “Assigned Groups” you must pass 1 of the 4 forms of MFA every connection attempt, regardless of location.
  • NOTE: Failure to add a newly created group to the above policy may prevent successful logon.

Rule

  • The 2nd policy blocks ALL other RADIUS not explicitly permitted above.

Edit Rule

  • Next click Security -> Multi-factor -> Multi-factor Policies.   

    • Edit add new VPN-* group then click UPDATE POLICY.  This policy disables security questions as a viable option for these groups.  

Add Multifactor Policy

  • Add Custom RADIUS Application next

Add Application

 

 

 

Add Application 2

 

 

Add RADIUS Application

 

Sign On RADIUS

 

Sign On RADIUS Configuration

  • Accept the rest of the defaults

  •  This will not work right away, however.  The reason is even though you’ve selected SamAccountName OKTA uses DN (ie user.name@internaldomain.com)  To fix you need to modify the profile editor and mapping

 

Profile Editor Account Select

  • You MUST select the green arrow (it will impact new AND existing user profiles)  Also click Save Mappings then  APPLY button

Profile Editor Finish

 

 

RADIUS Profile Mapping

  • That should be all that is required to support Anyconnect RADIUS to OKTA & now you can add additional custom RADIUS applications too!