Reference Material | Okta Verify

Configuring Okta Verify with Specops Authentication for uReset will extend Okta Verify’s authentication system to uReset users. These instructions assume that you already have an Okta account with Super Administrator privileges.

The configuration must be performed from the same computer/server as the Active Directory is administered from.

Note: customer accounts in Okta are assigned a unique subdomain in the Okta domain. In this document the subdomain, different for every customer, will be referenced as [okta_domain]. So, instead of, for example, https://specops.okta.com, it will be referred to as https://[okta_domain].okta.com. Note that for administrators, the URL will look like this: https://[okta_domain]-admin.okta.com.

Activating Okta Verify
  1. Log in to Okta as an administrator.
  2. Go to Security > Multifactor and access the Factor Types tab.
  3. Set Okta Verify to Active using the drop-down.
  4. Optionally you can enable Push Notifications.
Retrieving the Okta API token

In order for Specops Authentication to verify users through Okta Verify, it has to access Okta through their REST API, using a customer token. This token will have the same permissions as the user that created it.

Creating an API Token Account

Since the API token will have the same permissions as the account that created it, it is recommended to create a separate account (which we will here call the Token Account) to create the token. This account will have to be given Group Administrator privileges first, in order to be able to create the token. After the token has been created, the Token Account’s privileges will be lowered to Help Desk Administrator to give the token the minimum permission levels required for Specops Authentication.

  1. Go to Directory > People and click the Add Person
  2. Fill out the information in the pop-up window. Note that it is recommended to set the Password to Set by admin, and provide a (temporary) password.
  3. Save the new user, then set the new account’s permission level by going to Security > Administrators.
  4. Click the Add Administrator
  5. In the Grant administrator role to field, start typing the first name of the account you just created, then click it when it comes up as a suggestion below the field.
  6. In the Administrator roles section, check the Group Administrator option, leave the Group Admin Permissions to the default Can administer all users.
    Note: the Token Account needs at least Group Administrator privileges in order to be able to create API tokens.
  7. Click on the Add Administrator
  8. Log out of Okta, then log in on the same subdomain (https://[okta_domain]-admin.okta.com) using the new account credentials you just created before proceeding to the next part.
Creating the API token
  1. Make sure you are logged in as the service account administrator
  2. Go to Security > API, then go to the Tokens tab.
  3. Click on the Create Token button, and enter an appropriate name for the token.
  4. Click the Create Token button at the bottom.
  5. The window will show that the token has been created successfully, and will display the Token Value. Copy the Token Value and save it to a secure location.

    Warning: once this window has been dismissed, there is no way to access the actual token value again. If the Token Value was not saved, a new token needs to be created since that value needs to be copied into the Specops Authentication Web.

  6. Click the OK, got it button to exit the window.
Restricting the Token Account’s permissions

Now that the token has been created, you can restrict the Token Account’s privileges to assign it the minimum level of permissions required for Specops Authentication.

  1. Log out of Okta if you are still logged in as the Token Account.
  2. Log in as the Super Administrator.
  3. Go to Security > Administrators.
  4. In the Actions column for the Token Account, click on the Edit
  5. Set the Administrator role to Help Desk Administrator, leave the default settings for Group Admin Permissions and Help Desk Admin Permissions.
  6. Click the Update Administrator
Configuring Directory Integration in Okta

In order to link your Active Directory to Okta, a Directory integration has to be set up, using an Active Directory Agent.

  1. Go to Directory > Directory Integrations.
  2. Click on the Add Directory drop-down and choose Add Active Directory.
  3. Read the information on the next page, then click Set Up Active Directory.
  4. Click the Download Agent button to download the installer for the Active Directory Agent.
  5. Install the Active Directory Agent on your domain by running the installer. During installation, you will be asked to provide some information in several steps:
    1. Installation folder: choose any appropriate folder on your system.
    2. Select AD Domain: select the AD domain linked to Specops Authentication
    3. Okta AD Agent Windows Service Account: choose Create or use the OktaService account, here you can create a new Service Account for the agent with the username OktaService@[your_domain]. Give it a strong password.
    4. Okta AD Agent Proxy Configuration: provide any information on proxy server depending on your set-up.
    5. Register Okta AD Agent; choose Production, and fill out your subdomain (i.e. your [okta_domain]
    6. After the registration step, the installer will open a browser window where you have to log in as an administrator. Once logged in, a pop-up window will appear in the browser. Click Allow Access.
  6. Once Access is allowed, a pop-up will inform you that the Active Directory agent has started. Click Next.
  7. On the next page you will be allowed to select the appropriate Organizational Units. Choose the correct ones for your set-up.
  8. At the bottom of that same page the setting for Okta username format should be set to User Principal Name (UPN). If any other value (Email or SAM Account Name) is selected here, then the UPN will have to be mapped to a separate Okta user profile attribute. For more information on mapping, please refer to the section Mapping UPN to Okta user profile attribute. Click Next.
  9. On the final page you can configure which attributes will be mapped from AD to Okta. Unless you have some specific requirements for certain attributes, keep the default settings.
Mapping UPN to Okta user profile attributes

In case administrators have set the Okta login for regular users to anything other than Universal Principal Name (UPN), the UPN needs to be mapped to a profile attribute. You can either map an existing attribute to UPN, or create a new one. The steps below describe the process for creating a new attribute.

  1. Go to Directory > Profile Editor, and click on the Profile button next to the Okta (user) profile. You will be presented with a list of all the attributes present in Okta.
  2. Click the Add Attribute
  3. Fill out the form in the pop-up window, making sure to note the Display Name you enter.
  4. Click Save to save the new attribute.
  5. Go to Directory > Directory Integrations and click your Active Directory (the one linked to Okta)
  6. Go to the Settings tab, and at the bottom of the page click the Edit Mappings
  7. In the left column for the attribute you just created (usually at the bottom of the list), select userName from the drop-down.
  8. Click the Save Mappings button at the bottom.
  9. Click the Apply updates now to apply these mappings to all users with this profile.
Configuring Okta in Specops Authentication
  1. Log in to Specops Authentication Web.
  2. Go to Identity Services in the left navigation, then select Okta Verify.
  3. In the Okta domain field, enter your organization’s [okta_domain].okta.com domain.
  4. In the API key field, enter the value of the API token you’ve created.
  5. If you have mapped UPN to a different attribute in Okta (see section Mapping UPN to Okta user profile attributes), fill in the attribute you have mapped in Okta. Otherwise you can leave the default UPN value.
  6. Set Auto-enroll users in Specops Authentication to Yes if you want your users to be auto-enrolled for Okta Verify. Note that users must have set up their Okta Verify to be able to use this identity service.

    Warning: setting Auto-enroll to yes for users who have not yet set up Okta Verify, may result in a situation where users will be unable to verify their identity.

  7. Test the connection by clicking the Test connection button, and save the configuration if the test is successful.