Duo integrates with Okta to add two-factor authentication, complete with inline self-service enrollment and Duo Prompt.
Duo Security’s authentication platform secures access to Okta, extending two-factor protection to web applications launched from an Okta browser session.
You may need to contact Okta Support to have the Duo Multifactor option enabled for your account before you can complete setup.
This application communicates with Duo's service on TCP port 443. Firewall configurations that restrict outbound access to Duo's service with rules using destination IP addresses or IP address ranges aren't recommended, since these may change over time to maintain our service's high availability. If your organization requires IP-based rules, please review this Duo KB article.
The security of your Duo application is tied to the security of your secret key (skey). Secure it as you would any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!
The new Universal Prompt provides a simplified and accessible Duo login experience for web-based applications, offering a redesigned visual interface with security and usability enhancements.
| Universal Prompt | Traditional Prompt |
 |
 |
Read the Universal Prompt Update Guide for more information about the update process and the new login experience for users.
Migration to Universal Prompt for your Okta application is a two-step process:
Okta needs to update Okta to support the Universal Prompt, but the update isn't available yet. The "Universal Prompt" section reflects this status as "Waiting on App Provider" with the activation options inaccessible. Please contact Okta to request Duo Universal Prompt support for Okta.
In the meantime, you can use Duo with Okta and the traditional prompt experience.
After Okta makes the necessary changes available you may need log in to Okta as an admin to enable Duo Universal Prompt support.
You'll later return to the settings on this page to activate the Universal Prompt for your Okta users after Okta releases the update.
Click the See Update Progress link to view the Universal Prompt Update Progress report. This report shows the update availability and migration progress for all your Duo applications in-scope for Universal Prompt support. You can also activate the new prompt experience for multiple supported applications from the report page instead of visiting the individual details pages for each application.
Read the Universal Prompt Update Guide for more information about the update process to support the new prompt, and watch the Duo Blog for future updates about the Duo Universal Prompt.
Log into your Okta account as an administrator and click the Admin button.
Navigate to Security → Multifactor. Click on Duo Security then click the "Duo Security Settings" Edit button. If you don't see Duo Security listed, contact Okta Support to have it enabled on your account.
Fill out the form with your Duo Okta application information as follows.
| Integration Key | Your integration key (i.e. DIXXXXXXXXXXXXXXXXXX) |
| Secret Key | Your secret key |
| API Hostname | Your API hostname (i.e. api-XXXXXXXX.duosecurity.com)
|
| Duo Username Format | Select the name format used to log in to Okta. |
Click the Save button when done.
While still viewing the Duo Security factory type, click the Inactive button and select Activate to enable Duo.
Click the Security menu at the top and go to Authentication. Click the Sign-on tab.
You can either add a new rule for Duo Authentication to an existing Okta sign-on policy, or create a new policy for Duo and assign it to specific groups. In this example, we'll turn on Duo for all users in the "Default Policy".
Click on the Default Policy, and then click the Add Rule button. Enter a name for your new Duo rule and exclude any users you don't want using Duo when logging in to Okta. Check the Prompt for Factor box to enable secondary authentication and determine whether you want 2FA required "Per Device", "Every Time", or "Per Session". Choose your desired options for the other rule settings and click Create Rule when finished.
The Okta sign-on policy shows your new Duo rule.
Learn more about creating Okta policies or see additional information about configuring Duo authentication in the Okta online help center.
Please contact Okta support if you have any questions about the integration or need assistance configuring your authentication and multifactor settings. Contact Duo Support for assistance with the Duo service.
If you plan to permit use of WebAuthn authentication methods (security keys, U2F tokens, or Touch ID) in the traditional Duo Prompt, Duo recommends configuring allowed hostnames for this application and any others that show the inline Duo Prompt before onboarding your end-users.
The Duo Universal Prompt has built-in protection from unauthorized domains so this setting does not apply.
Okta prompts new, unenrolled Duo users to setup multifactor authentication at the first login to Okta after Duo is enabled. Click the Setup button for Duo Security.
A "Setup Duo Security" window displays the Duo enrollment prompt. Complete Okta's multifactor setup by stepping through Duo enrollment.
When Duo enrollment is completed, users can choose one of the Duo authentication options to access Okta.
Need some help? Reach out to Duo Support for assistance with creating the Okta application in Duo, enrolling users in Duo, Duo policy questions, or Duo authentication approval issues. For assistance configuring or managing Okta please contact Okta Support.