Configuring Okta with Specops Authentication for Secure Service Desk will extend Okta’s authentication system to uReset users. These instructions assume that you already have an Okta account with Super Administrator privileges.

The configuration must be performed from the same computer/server as the Active Directory is administered from.

customer accounts in Okta are assigned a unique subdomain in the Okta domain. In this document the subdomain, different for every customer, will be referenced as [okta_domain]. So, instead of, for example, https://specops.okta.com, it will be referred to as https://[okta_domain].okta.com. Note that for administrators, the URL will look like this: https://[okta_domain]-admin.okta.com.

Activating Okta

  1. Log in to Okta as an administrator.
  2. Go to Security > Multifactor and access the Factor Types tab.
  3. Set Okta to Active using the drop-down.
  4. Optionally you can enable Push Notifications.

Retrieving the Okta API token

In order for Specops Authentication to verify users through Okta, it has to access Okta through their REST API, using a customer token. This token will have the same permissions as the user that created it.

Creating an API Token Account

Since the API token will have the same permissions as the account that created it, it is recommended to create a separate account (which we will here call the Token Account) to create the token. This account will have to be given Group Administrator privileges first, in order to be able to create the token. After the token has been created, the Token Account’s privileges will be lowered to Help Desk Administrator to give the token the minimum permission levels required for Specops Authentication.

  1. Go to Directory > People and click the Add Person
  2. Fill out the information in the pop-up window. Note that it is recommended to set the Password to Set by admin, and provide a (temporary) password.
  3. Save the new user, then set the new account’s permission level by going to Security > Administrators.
  4. Click the Add Administrator
  5. In the Grant administrator role to field, start typing the first name of the account you just created, then click it when it comes up as a suggestion below the field.
  6. In the Administrator roles section, check the Group Administrator option, leave the Group Admin Permissions to the default Can administer all users.
    the Token Account needs at least Group Administrator privileges in order to be able to create API tokens.
  7. Click on the Add Administrator
  8. Log out of Okta, then log in on the same subdomain (https://[okta_domain]-admin.okta.com) using the new account credentials you just created before proceeding to the next part.

Creating the API token

  1. Make sure you are logged in as the service account administrator
  2. Go to Security > API, then go to the Tokens tab.
  3. Click on the Create Token button, and enter an appropriate name for the token.
  4. Click the Create Token button at the bottom.
  5. The window will show that the token has been created successfully, and will display the Token Value. Copy the Token Value and save it to a secure location.
    once this window has been dismissed, there is no way to access the actual token value again. If the Token Value was not saved, a new token needs to be created since that value needs to be copied into the Specops Authentication Web .
  6. Click the OK, got it button to exit the window.

Restricting the Token Account’s permissions

Now that the token has been created, you can restrict the Token Account’s privileges to assign it the minimum level of permissions required for Specops Authentication .

  1. Log out of Okta if you are still logged in as the Token Account.
  2. Log in as the Super Administrator.
  3. Go to Security > Administrators.
  4. In the Actions column for the Token Account, click on the Edit
  5. Set the Administrator role to Help Desk Administrator, leave the default settings for Group Admin Permissions and Help Desk Admin Permissions.
  6. Click the Update Administrator

Configuring Directory Integration in Okta

In order to link your Active Directory to Okta, a Directory integration has to be set up, using an Active Directory Agent.

  1. Go to Directory > Directory Integrations.
  2. Click on the Add Directory drop-down and choose Add Active Directory.
  3. Read the information on the next page, then click Set Up Active Directory.
  4. Click the Download Agent button to download the installer for the Active Directory Agent.
  5. Install the Active Directory Agent on your domain by running the installer. During installation, you will be asked to provide some information in several steps:
    1. Installation folder: choose any appropriate folder on your system.
    2. Select AD Domain: select the AD domain linked to Specops Authentication
    3. Okta AD Agent Windows Service Account: choose Create or use the OktaService account, here you can create a new Service Account for the agent with the username OktaService@[your_domain]. Give it a strong password.
    4. Okta AD Agent Proxy Configuration: provide any information on proxy server depending on your set-up.
    5. Register Okta AD Agent; choose Production, and fill out your subdomain (i.e. your [okta_domain]
    6. After the registration step, the installer will open a browser window where you have to log in as an administrator. Once logged in, a pop-up window will appear in the browser. Click Allow Access.
  6. Once Access is allowed, a pop-up will inform you that the Active Directory agent has started. Click Next.
  7. On the next page you will be allowed to select the appropriate Organizational Units. Choose the correct ones for your set-up.
  8. At the bottom of that same page the setting for Okta username format should be set to User Principal Name (UPN). If any other value (Email or SAM Account Name) is selected here, then the UPN will have to be mapped to a separate Okta user profile attribute. For more information on mapping, please refer to the section Mapping UPN to Okta user profile attribute. Click Next.
  9. On the final page you can configure which attributes will be mapped from AD to Okta. Unless you have some specific requirements for certain attributes, keep the default settings.

Mapping UPN to Okta user profile attributes

In case administrators have set the Okta login for regular users to anything other than Universal Principal Name (UPN), the UPN needs to be mapped to a profile attribute. You can either map an existing attribute to UPN, or create a new one. The steps below describe the process for creating a new attribute.

  1. Go to Directory> ProfileEditor, and click on the Profile button next to the Okta (user) profile. You will be presented with a list of all the attributes present in Okta.
  2. Click the Add Attribute
  3. Fill out the form in the pop-up window, making sure to note the Display Name you enter.
  4. Click Save to save the new attribute.
  5. Go to Directory > Directory Integrations and click your Active Directory (the one linked to Okta)
  6. Go to the Settings tab, and at the bottom of the page click the Edit Mappings
  7. In the left column for the attribute you just created (usually at the bottom of the list), select userName from the drop-down.
  8. Click the Save Mappings button at the bottom.
  9. Click the Apply updates now to apply these mappings to all users with this profile.

Enabling Okta Text messages

To enable sending codes via text messages, do the following:

  1. In the Okta administration portal, go to Multifactor.
  2. Check Enable SMS Authentication.
  3. In Specops Authentication Web, go to Identity Services, and access the Okta settings.
  4. Set Enable SMS support for Okta to Yes.
  5. Click Save.

Configuring Trusted Proxy IPs for Okta push notifications

Push notifications sent to the Okta mobile app will display location. The IP address displayed in the push notification originates from the mobile phone. In order for the IP to be sent from Okta, administrators need to set Specops' IPs as trusted in the Okta Portal.

The Trusted Proxy IPs (see table below) can be added to your configuration by accessing the Okta Portal and going to Security > Networks (click Add Zone dropdown and choose IP Zone).

Specops Proxy IPs

IP Address
This list of IP addresses is subject to change. Advance notice of changes will be sent to listed contacts.

Configuring Okta in Specops Authentication

  1. Log in to Specops Authentication Web .
  2. Go to Identity Services in the left navigation, then select Okta.
  3. In the Okta domain field, enter your organization’s [ okta_domain].okta.com domain.
  4. In the API key field, enter the value of the API token you’ve created.
  5. If you have mapped UPN to a different attribute in Okta (see section Mapping UPN to Okta user profile attributes), fill in the attribute you have mapped in Okta. Otherwise you can leave the default UPN value.
  6. Set Auto-enroll users in Specops Authentication to Yes if you want your users to be auto-enrolled for Okta. Note that users must have set up their Okta to be able to use this identity service.
    setting Auto-enroll to yes for users who have not yet set up Okta, may result in a situation where users will be unable to verify their identity.
  7. Test the connection by clicking the Test connection button, and save the configuration if the test is successful.

Enabling Okta MFA selection

By default, when choosing Okta to authenticate with, the identity service will send a push notification to the user. The user can choose another notification method by clicking the "Use another method" link in the authentication window. Okta can be configured to always show these notification options from the start, saving the user from having to click the link.

  1. In Specops Authentication Web go to Identity Services > Okta, and access the settings for the identity service.
  2. Set the Enable Okta MFA selection to Yes.
    The options for this setting determine the following:
    • Yes: shows all MFA options; user has to choose one to continue with authentication. The methods are: Text message, Push request, Enter code.
    • No: default behavior; push notification with optional link to other notification methods.

Sending push notifications to multiple devices

Enabling push notifications for multiple devices cannot be configured in Specops Authentication Web. Administrators need to contact Okta to set a feature-flag for their account. Reference Case 01789673 when doing so.

Okta can be set up to send push notifications to any device the user has registered. When authorizing with Okta, the user can choose on which of their devices they want receive the push notification by selecting from a drop-down list. In order to enable sending to multiple devices, a feature-flag has to be set by Okta. Administrators need to contact Okta and request the feature-flag to be set. Please reference Case 01789673 when making this request.