Okta API MFA Integration

This feature is currently available only to customers participating in a Private Preview. If you'd like to participate and be among the first to try this feature, ask our support or account team for details.

This procedure walks you through setting up and testing Okta Multi-Factor Authentication on the Delinea Platform using a customer-managed registered app.

The integration enables the Delinea Platform to use Okta APIs directly to perform push notification MFA through Okta when requested by the Delinea Platform.

The platform Customer Managed app will walk you through the necessary steps while ensuring least privileges.

The following procedures require copying and pasting information between Okta Admin Portal and the Delinea Platform. We recommend opening both applications before you begin and keeping both open until you are finished.

Create an Application in Okta

  1. Go to the Okta portal and log in.

  2. Navigate to Applications > Applications within the Admin Console.

  3. Select Create App Integration.

  4. Select API Services for type.

  5. In the App integration name field, enter a name for your application integration.

  6. Copy and save the Client ID.

Register an Okta App on the Platform

  1. On the Delinea Platform, navigate to Settings > Registered Apps.

  2. Select Add App > Customer Managed Okta.

  3. Provide an appropriate name for the Okta App.

  4. Enter the Okta URL in the Okta Domain field.

  5. Paste the Client ID you copied from the Okta portal.

Update the Okta Application for JKWS support

  1. In the Okta Application, edit the Client Credential section.

  2. Select Public Key/ Private Key under client authentication.

  3. Under Public Keys, select Use a URL to fetch keys dynamically.

  4. Paste the JWKS URL from the Delinea Platform application.

  5. Select Save and acknowledge that client secrets will no longer be used.

Configure Permissions within Okta

Disable Demonstrating Proof of Possession (DPoP)

  1. Within the Okta application, edit the General Settings section.

  2. Deselect Require Demonstrating Proof of Possession (DPoP).

Update API Scopes

  1. Navigate to Okta API Scopes.

  2. Grant the Okta Application access to okta.users.manage and okta.users.read.

Create a Role for the Okta Application

  1. Navigate to Security > Administrators.

  2. Select the Roles tab.

  3. Select Create New Role.

  4. Give the role an appropriate name and description.

  5. Grant the role permissions toView users and their details and Reset users’ authenticators.

  6. Select Save Role.

Create a Resource for Okta Application

  1. Navigate to Security > Administrators.

  2. Select the Resources tab.

  3. Select Create new resource set.

  4. Give the role an appropriate name and description.

  5. Select Add Resource.

  6. Select Users for resource type.

  7. Select All Users or scope that includes users that are intended for MFA.

Update Admin Roles

  1. Navigate back to ApplicationsApplications.

  2. Select the application previously created for the Delinea Platform.

  3. Navigate to Admin Roles.

  4. Select Edit Assignments.

  5. Select the created Role and created Resource Set.

  6. Select Save Changes.

Enable Push Notifications in Okta

  1. Navigate to Security > Authenticators.

  2. Select Actions > Edit to edit the Okta Verify Authenticator.

  3. Enable Push Notification under Verification Options if not already enabled.

Test the API-Based Okta MFA Integration

Create or update an Authentication Profile in the Delinea Platform to validate the MFA integration. This will require you to use the Authentication Profile in the expected authentication vector you intend to leverage (Platform Login, Secret Checkout, Endpoint Login, Endpoint Elevation, etc.)

  1. Navigate to Settings > Authentication Profiles .

  2. Create a new Authentication Profile or edit a preexisting one.

  3. Select Okta Verify as the authentication method within the profile.

  4. Attempt authentication or step up MFA against the Platform, or the endpoint for testing.