MFA for Admin Login Skip to main content
https://support.okta.com/help/blogdetail?id=a67f0000000xzbyiao&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fblogdetail
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.

MFA for Admin Login

Aug 31, 2015 | by Thomas Hill in MFA

Original Author: Matt Egan, Varian Medical Systems

This is how we've enabled MFA for the Okta Admin interface.

Our configuration is as follows. we have an Okta org that is populated/mastered by Active Directory. In Active Directory we have separate accounts used for administrative purposes. Those Accounts are subject to greater authentication scrutiny (FGPP) which works well enough for Active Directory and Windows server configuration but it didn't provide the level of separation or strength of authentication that we wanted for Okta administration. To accomplish what we wanted in Okta we ended up creating Okta mastered users following a standard naming convention. Additionally we converted these users to be federated users to ensure no backdoors existed to our strategy.  With those Okta Accounts in place we configured our Okta org to allow inbound SAML assertions from itself. I then created a template application within the same Okta org, on this application we made a custom username assignment rule that would map the userid of our productivity accounts eg. 'jdoe@yourdomain.tld' into a username aligned with the Okta mastered accounts 'jdoe@yourdomain.okta.tld'. To fulfill the MFA requirement I then configured this SAML application to require MFA at every session. Detailed instructions below.

  1. Create a SAML Template app (This doesn't seem to work with the SAML Wizard App)

    1. Login to Okta admin as a Super Admin
    2. Navigate to Applications
    3. 'Add Application'
    4. Search for and select "Template SAML 2.0 App"
      1. Most importantly Use this logo
        1. okta-admin.png
      2. Provide a Label (I use 'Okta Admin')
      3. Provide a placeholder value of 'none' for 'Post Back URL', 'Recipient', 'Audience Restriction' and 'Destination'
      4. Click Next
      5. Don't assign the Application to users (yet)
      6. Click Next
      7. Click Done
      8. Visit the 'Sign On' Tab of the newly created 'Okta Admin' app
      9. Change the 'Application username format' to Custom
        1. I use this expression to generate a username that matches the username i'm going to create in a subsequent step that actually has administrative rights.
          • okta${f:substringBefore(user.login,"@")}@YourDomain.okta.tld
        2. Replacing YourDomain with your actual Okta org domain
        3. If your okta login name was jdoe@YourDomain.tld your username would be turned into oktajdoe@YourDomain.okta.tld
        4. Click Save
      10. On the same 'Sign On' Tab modify the 'Sign On Policy'
      11. Click 'Add Rule'
        1. Rule Name: MfaAlways
        2. People: 'Users assigned this app'
        3. Location: 'Anywhere'
        4. Access is Allowed
        5. Action: Prompt for factor
          • Pick the frequency requirements of your liking, i do 'Every sign on'
        6. Click 'Save'
      12. On the same 'Sign On' Tab Click the 'View Setup Instructions' link
      13. Scroll to the 'Configuration Data' section of the resulting Tab
      14. Download and save the 'Public Certificate' (take note of the location we'll use it in subsequent steps)
      15. Keep this tab/window open for the time being we'll refer to the The External Key and Redirect Login URL will be used in the next Steps
  2. Enable Inbound SAML

    1. In a new tab or window Login to Okta as a Super Admin and Navigate to Security->Authentication->Inbound SAML
    2. 'Add Endpoint'
      1. Provide an Alias (I use 'Self' due to character restrictions for this field, the value is arbitrary)
      2. Provide the Path to the Public Certificate that was downloaded in 1.14
      3. Provide the value for 'External Key' from the SAML App Configuration Data as the 'IDP Issuer'
      4. Provide the value for 'Redirect Login URL' from the SAML App Configuration Data as the 'IDP Login URL'
      5. Leave the 'IDP Binding' as 'HTTP-Post'
      6. Leave the 'Default Group Assignment' Empty
      7. Leave the 'Transform Username' as 'username'
      8. Configure the the 'Name ID Format' as 'Email Address'
      9. Leave the 'Enable SP initiated SAML' Unchecked
    3. Click 'Save Endpoint'
    4. We now have an Inbound SAML Endpoint configured
      1. Make note of
        • Assertion Consumer Service
        • Audience URI
  3. Update the newly created 'Okta Admin' app with these new values

    1. Visit the 'General' tab on 'Okta Admin' application
      1. Populate 'Post Back URL', 'Recipient' and 'Destination' with the value of the 'Assertion Consumer Service' of the Inbound SAML endpoint previously created
      2. Populate the 'Audience Restriction' with the value of the 'Audience URI' of the Inbound SAML endpoint previously created
      3. Configure the 'Name ID Format' as 'EmailAddress'
      4. Configure the 'Default Relay State' as https://YourDomain.okta.tld/home/admin-entry
      5. Leave all other values at their default
      6. Click Save
  4. Create new 'Figurehead' Okta Accounts to be used as the Admins

    1. Navigate to 'Directory->People'
    2. Click 'Add Person'
      1. Provide Values i suggest doing the following to avoid confusion
      2. Suggestion Firstname the same as the real persons name: John
      3. Suggestion Lastname the same as the real persons lastname prefixed with Okta: OktaDoe
      4. Mandatory username: the value that would result for the custom Application username format defined on the application: oktajdoe@YourDomain.okta.tld
      5. Suggestion Primary Email the same as the real persons email
      6. No need for a group but i do put mine in group for tracking purposes
      7. Check the box for 'Send user activation email now'
      8. Click 'Add Person'
      9. Repeat this step for each Admin account you need to create
      10. Optional Convert the newly created user to a 'Federated' user (requires API call, see Users | Okta Developer or oktaConvertUsertoFederation from my PowerShell wrapper mbegan/Okta-PSModule · GitHub )
  5. Assign administrative roles to the newly created administrative users

    1. Security->Administrators->'Add Administrator'
      1. Find newly created users
      2. Select appropriate roles
      3. Click 'Add administrator'
  6. Assign the new 'Okta Admin' application to the 'real' users that you want to have administrative access (and have already created Admin accounts for)

    1. I don't use Groups for this one because i want it to be a very explicit action.
  7. Test

    1. If I've documented everything correctly and they were clear enough to be followed you should be able to login to the Okta Admin console by
      1. Logging into the Okta application portal as your normal ad mastered user account
      2. Click the newly assigned 'Okta Admin' app
      3. Satisfying the MFA requirements
  8. Remove Access for your normal account

    1. If things worked as expected you can remove the Administrative roles from your normal user account
 

Comments

  • Kent Hulick on May 22, 2017

    I am so close to having this working--all the authentication works, but it seems to ignore the default relay state.  I've looked at the actual SAML assertion and http parameters and the default relay state is there, but instead of getting the admin page I get the default login page for the original user.  Has anyone made this work in the last year?