Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 7.0.3 LTS - Okta Multi-Factor Authentication - Tutorial

[okta]

This section contains the options related to your Okta account.

[okta]
# Do NOT use api_key in production
; api_key=YOUR-OKTA-API-KEY
application_id=PSMOktaAAPlugin/%(VERSION)s
site_name=example.okta.com
api_url=https://%(site_name)s/api/v1/
default_prefix=o
http_socket_timeout=10
ignore_conn_err=Yes
rest_poll_interval=1
timeout=55
api_key
Type: string
Required: yes
Default: N/A

Caution:

This parameter contains sensitive data. Make sure to store this data in your local Credential Store. Type the $ value for this parameter in production.

For details, see Store sensitive plugin data securely.

Only enter a value different than $ for this parameter in the configuration for testing purposes in a secure, non-production environment.

Description: Your Okta API key. SPS uses this to communicate with the Okta server. For details on using a local Credential Store to host this data, read Store sensitive plugin data securely.

Caution:

According to the current Okta policies, your API token expires if it is not used for 30 days. Make sure that you use it regularly, because SPS will reject your sessions if the API token is expired.

application_id
Type: string
Required: no
Default: PSMOktaMFA/1.0

Description: The application ID used in the communication with the Okta server. This ID is visible in the Okta logs.

api_url
Type: string
Required: yes
Default: N/A

Description: The URL where the Okta server can be accessed. Usually you can use the default value:

api_url=https://example.okta.com/api/v1/

To override the access URL for the Okta API, change the value.

default_prefix
Type: string
Required: no
Default: o

Description: If the user uses an OTP-like factor, and does not specify the type of factor in the OTP string, the SPS plugin assumes that the OTP is for the default factor. The possible values are as follows:

  • Google Authenticator: g

  • inWebo Authenticator: o

  • Symantec token: s

  • YubiKey: y

  • RSA token: r

If you do not set this option and the user does not specify an OTP type, the plugin assumes that the OTP received from the user is an Okta OTP.

timeout
Type: integer [seconds]
Required: no
Default: 60

Description: How long the authentication process can take during the communication with the Okta server (potentially consisting of multiple HTTP requests).

http_socket_timeout
Type: integer [seconds]
Required: no
Default: 10

Description: How long the plugin waits for an approval when using the Okta push notification factor. This option sets the timeframe (measured from the user initiating the connection to SPS) within which SPS must receive the approval from the Okta server. SPS periodically asks the Okta server to check if the user successfully authenticated on the Okta server.

rest_poll_interval
Type: integer [seconds]
Required: no
Default: 1

Description: How often the plugin checks the Okta server to see if the push notification was successful. Note that SPS rejects the connection of the user if it does not receive an approval for the push notification within the period set in http_socket_timeout.

ignore_conn_err
Type: yes | no
Required: no
Default: no

Description: Determines how to handle the sessions if the Okta service is not available. If set to yes, the plugin assumes that the user successfully authenticated even if the plugin cannot access Okta to verify this.

Caution:

Enabling this option allows the users to bypass multi-factor authentication if SPS cannot access the Okta service for any reason, for example, a network configuration error in your environment.

[auth]

This section contains the options related to authentication.

Declaration
[auth]
prompt=Press Enter for push notification or type one-time password:
disable_echo=yes
prompt
Type: string
Required: no
Default: Press Enter for push notification or type one-time password:

Description: SPS displays this text to the user in a terminal connection to request an OTP interactively. The text is displayed only if the user uses an OTP-like factor, and does not send the OTP in the connection request.

disable_echo
Type: boolean (yes|no)
Required: no
Default: no

Description: For better security, you can hide the characters (OTP or password) that the user types after the prompt. To hide the characters (replace them with asterisks), set disable_echo to yes.

[connection_limit by=client_ip_gateway_user]

This section contains the options related to limiting parallel sessions.

Declaration
[connection_limit by=client_ip_gateway_user]
limit=0
limit
Type: integer
Required: no
Default: 0

Description: To limit the number of parallel sessions the gateway user can start from a given client IP address, configure limit. For an unlimited number of sessions, type 0.

[authentication_cache]

This section contains the settings that determine how soon after performing a 2FA/MFA authentication the user must repeat the authentication when opening a new session.

After the first Okta authentication of the user, SPS will not request a new Okta authentication from the user as long as the new authentications happen within soft_timeout seconds from each other. After the hard_timeout expires (measured from the first Okta login of the user), SPS will request a new Okta authentication.

In other words, after opening the first session and authenticating on Okta, the user can keep opening other sessions without having to authenticate again on Okta as long as the time between opening any two sessions is less than soft_timeout, but must authenticate on Okta if hard_timeout expires.

Declaration
[authentication_cache]
soft_timeout=15
hard_timeout=90
reuse_limit=5
soft_timeout
Type: integer [in seconds]
Required: yes, if you want caching
Default: N/A
Min value: 0
Max value: 2147483647

Description: The time in seconds after which the SPS plugin requires a new Okta authentication for the next new session of the user, unless the user successfully authenticates another session within this period.

hard_timeout
Type: integer [in seconds]
Required: yes, if you want caching
Default: N/A
Min value: 0
Max value: 2147483647

Description: The time in seconds after which the SPS plugin requires a new Okta authentication for the next new session of the user. The time is measured from the last Okta authentication of the user.

reuse_limit
Type: integer [number of]
Required: Optional
Default: 0
Min value: 0
Max value: 2147483647

Description: The number of times that you can reuse the authentication cache before the SPS plugin requires from you a new authentication for the next session. The default is 0, which means that the authentication cache is not unlimited, but it is turned off.

In the example, if reuse_limit is set to 5, and you successfully authenticated with multi-factor authentication, the next 5 authentications are bypassed in the next 90 seconds (hard_timeout), if there is no gap bigger than 15 seconds (soft_timeout) between the authentications.

If any of the hard_timeout, soft_timeout, or reuse_limit parameters, which operate independently from one another, exceed the configured limit, the SPS plugin requires you to authenticate for the new session.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating