Skip navigation
Documentation

Okta

Last Updated: September 26th, 2019

Contents

Duo integrates with Okta to add two-factor authentication, complete with inline self-service enrollment and Duo Prompt.

Duo and Okta

Duo Security’s authentication platform secures access to Okta, extending two-factor protection to web applications launched from an Okta browser session.

You may need to contact Okta Support to have the Duo Multifactor option enabled for your account before you can complete setup.

Connectivity Requirements

This application communicates with Duo's service on TCP port 443. Firewall configurations that restrict outbound access to Duo's service with rules using destination IP addresses or IP address ranges aren't recommended, since these may change over time to maintain our service's high availability. If your organization requires IP-based rules, please review this Duo KB article.

First Steps

  1. Sign up for a Duo account.
  2. Log in to the Duo Admin Panel and navigate to Applications.
  3. Click Protect an Application and locate Okta in the applications list. Click Protect this Application to get your integration key, secret key, and API hostname. (See Getting Started for help.)

Treat your secret key like a password

The security of your Duo application is tied to the security of your secret key (skey). Secure it as you would any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!

Configure Okta Authentication

  1. Log into your Okta account as an administrator and click the Admin button.
  2. Navigate to SecurityMultifactor. Click on Duo Security then click the "Duo Security Settings" Edit button. If you don't see Duo Security listed, contact Okta Support to have it enabled on your account.

    Okta Authentication Settings

  3. Fill out the form with your Duo Okta application information as follows.

    Integration Key Your integration key (i.e. DIXXXXXXXXXXXXXXXXXX)
    Secret Key Your secret key
    API Hostname Your API hostname (i.e. api-XXXXXXXX.duosecurity.com)
    Duo Username Format Select the name format used to log in to Okta.

    Click the Save button when done.

    Enter Okta Duo Application Information

  4. While still viewing the Duo Security factory type, click the Inactive button and select Activate to enable Duo.

  5. Click the Security menu at the top and go to Authentication. Click the Sign-on tab.

  6. You can either add a new rule for Duo Authentication to an existing Okta sign-on policy, or create a new policy for Duo and assign it to specific groups. In this example, we'll turn on Duo for all users in the "Default Policy".

    Click on the Default Policy, and then click the Add Rule button. Enter a name for your new Duo rule and exclude any users you don't want using Duo when logging in to Okta. Check the Prompt for Factor box to enable secondary authentication and determine whether you want 2FA required "Per Device", "Every Time", or "Per Session". Choose your desired options for the other rule settings and click Create Rule when finished.

    Okta Authentication Factors

  7. The Okta sign-on policy shows your new Duo rule.

    Okta Sign-on Policy

Learn more about creating Okta policies or see additional information about configuring Duo authentication in the Okta online help center.

Please contact Okta support if you have any questions about the integration or need assistance configuring your authentication and multifactor settings. Contact Duo Support for assistance with the Duo service.

Enable Okta New Sign-in Page

If you are still using the Okta legacy sign-in page (pre-2016) we recommend enabling Okta's "New Sign-In Page" if you haven't already so your users can take advantage of the interactive Duo Prompt. To turn this feature on:

  1. Navigate to SettingsAppearance as an Okta administrator.

  2. Click the Edit button next to "Sign-in Configuration".

  3. Change the New Sign-In Page option to Enable. Optionally upload a background image, and then click *Save**.

    Okta Sign-in Page Configuration

Test Your Setup

Okta prompts new, unenrolled Duo users to setup multifactor authentication at the first login to Okta after Duo is enabled. Click the Setup button for Duo Security.

Okta User Duo Setup

A "Setup Duo Security" window displays the Duo enrollment prompt. Complete Okta's multifactor setup by stepping through Duo enrollment.

Okta Duo Setup Wizard

When Duo enrollment is completed, users can choose one of the Duo authentication options to access Okta.

Okta Duo Authentication

If you didn't enable Okta's new sign-in page then users see a different Duo multifactor prompt. This prompt doesn't allow for inline enrollment or device management. Okta Duo Authentication

Troubleshooting

Need some help? Try searching our Knowledge Base articles or Community discussions. For further assistance, contact Support.