Configuring Duo Security Skip to main content
https://support.okta.com/help/oktaarticledetailpage?childcateg=&id=ka02a0000005ugosaq&source=documentation&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fdocumentation%2fknowledge_article%2fconfiguring-duo-security-734413457
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Configuring Duo Security
Published: Jan 31, 2018   -   Updated: Jun 22, 2018

 

 

okta-doc-source

Configuring Duo Security

You can configure Duo Security as a multifactor authentication (MFA) option. When enabled as a factor, Duo is the system of record for MFA, and Okta delegates secondary verification of credentials to your Duo Security account.

Okta denies access to any user including Okta administrators that have a valid Duo user account and the user has a status of Disabled or Locked Out. Users cannot sign in with a different MFA factor when their Duo account has a Disabled or Locked Out status. Okta Technical Support cannot reset Duo devices for your Okta administrators or any Duo users. This must be performed by a Duo administrator. Make sure that you have multiple Duo administrators and your Okta administrators have multiple devices registered.

Okta looks up users in your Duo account by using the Okta username or email address of the user signing into Okta. If you have a Duo deployment with existing enrollments, make sure that your Duo usernames match the Okta usernames or email addresses of your Okta users. You can change username mapping from Okta username (default) to email address by signing into your Okta Administrator Dashboard, selecting Security > Multifactor > Duo, and changing the Duo Username Format setting.

Okta supports self enrollment with Duo for new Duo users during sign in. New users can also enroll on their Duo account page. Depending on your Okta integration settings in Duo, users can enroll with a smartphone, tablet, or telephone. Duo currently limits this functionality to first-time enrollments. After first-time enrollment, users must contact their Duo administrator to add more devices. If an existing Duo user matches a user in Okta, self enrollment is disabled.

Before You Begin

Before you configure Duo as an MFA option, you must have a Duo account and configure Okta as an integration. Duo users must install the Duo mobile app on their selected devices. Refer to your Duo Security documentation for more information.

To integrate Duo with Okta, you must have the following information from your Duo account:

  • Your integration key
  • Your secret key
  • Your API hostname

To obtain this information, sign into your Duo Security account and add a new Okta Integration

Configuration Procedure

To configure Duo, do the following:

  1. From your Okta Administrator Dashboard, select Security > Authentication, and then select the Duo Security tab.
  2. On the Duo Security Settings page, enter your integration key, secret key, and API hostname, select your Duo username format, and then click the Save button.
  3. Navigate to Security > Multifactor> Factor Types, click the Edit button, select the Duo Security checkbox, and then, click the Save button.

End-User Self-Enrollment

After you set Duo Security as a factor in Okta, your end users are prompted to configure Duo and set up their devices during sign in if they don't already have a valid Duo registration. Users go through the following steps:

Sign into Okta and receive a prompt to configure extra security. Select the Configure Factor button for Duo Security.

Duo_1

The setup wizard is launched. Users must click the Start Setup button to continue.

Users select a device (for example, mobile phone) and click the Continue button.

Duo_2

Optionally, click the Enroll another device button or click the Done button when you are finished adding devices.

Duo_3

Note: You will not be able to configure additional devices after you complete the setup wizard. Contact your Duo admin to help you if you later discover that you want to configure additional devices.

End-User Verification

Users that have already enrolled with Duo are prompted for additional verification during sign in. Users can select the authentication type that is supported by their device to verify their identity.

Duo_4

Using A Security Device

You can use a Yubikey security device for Duo verification. Choose Verify with Duo Security device. Press the button on the device and then select Verify, as shown below.

Duo_Yubikey

End User Device Management

Once you have enrolled one or more devices, you can subsequently edit those devices, or enroll a new device, as follows:

  1. From your Home page, select your user name in the upper right, then select Settings from the dropdown menu.
  2. Scroll down to the Extra Verification section, then click Edit.

    Duo_5

  3. Click Manage Devices to edit or enroll a new device.

    Duo_6

  4. A Duo login will be pushed to your device. Login.
  5. To enroll a new device, select Enroll a new device, then continue with the enrollment as described in End User Self-Enrollment, above.
  6. To edit an existing device, select Actions, then select one of the following edit actions:
    • Change Device Name...
    • Remove Device
    • Set as Default

    Duo_7

  7. Once you have completed your edit action, click Done.

Known Issues

The following are known issues with the Duo Security integration. We will update this information as these issues are resolved.

  • If users miss a text or phone call, they must refresh the page and have a new text or phone call sent to them. This issue will be fixed before this feature becomes generally available.
  • If a user starts the self-enrollment process but doesn't complete the process or refreshes the page, they will be unable to enroll via Okta and must be enrolled by an administrator using the Duo Administrator Dashboard. This is a limitation of the Duo API.
Top