This article is for administrators migrating users in stages from legacy Duo Security MFA factor (with traditional Duo Prompt) to the new Duo OIDC IdP factor with Duo Universal Prompt.

This migration has prerequisites or certain features that must be enabled for their actual Okta tenant before the implementation. Without these features, Okta administrators may not see all the options and settings needed for configuration.

• For example, the Open ID Connect IdP option will be missing from Security > Identity Providers > Add identity provider.

• Multi-Factor Authentication (MFA)
• Duo Security
• Identity Provider (IdP)

Prerequisites

• Ensure the Okta tenant has the features necessary for Duo as an OIDC factor. 

Okta Classic Engine 

• Open a case with Okta Support referencing this article, and request that the following features be enabled to allow the use of the Open ID Connect IdP identity provider:
  • TOP_WINDOW_REAUTH_FROM_ENDUSER_SETTINGS
  • STATE_TOKEN_ALL_FLOWS
  • CLAIMS_AS_FACTOR
  • GENERIC_OIDC_IDP

Okta Identity Engine 

• The required features should already be enabled. If unsure, confirm with Okta Support.

Outcome after features enablement:

• The OpenID Connect IdP option will be visible, and the Okta Admin may proceed with the following guide from the DUO Security KB.

NOTE: 

• To set up DuoFederal OIDC Universal Prompt, there is a Duo Federal Feature Flag called "(Beta) Asymmetric Signing for WebSDK 4." Please contact Duo Support regarding this request.
• If User Factors is not retrieving the Duo IdP factor, please contact support and ask to confirm that the features referenced above are enabled. All four features need to be enabled for the factors API to work properly.

Related References

• How to Integrate Okta with Duo Authenticator Universal Prompt