Testing Centrify Privileged Access Service and Okta federation
Identity provider to service provider authentication confirmation
To confirm authentication between identity provider to service provider, perform the following steps:
1. Log into the Okta portal and click on the Centrify icon.
3. Verify that you are redirected to the Centrify PAS tenant dashboard.
Service provider to identity provider authentication confirmation
To confirm service provider to identity provider authentication, perform the following steps:
Note: Ensure you are logged out of the Okta and Centrify PAS tenants.
- Log into Centrify PAS with the domain given in partner federation and verify that you are redirected to the Okta login page.
- Log into the Okta portal and verify that you are redirected to the Centrify PAS dashboard.
Okta multi-factor authentication (MFA) setup
To set up Okta MFA, perform the following steps:
- Log in as the administrator to the Okta portal. At the top left, select Classic UI.
- Select the Applications tab.
- Click Add Application.
- Search for RADIUS Application and click Add.
- Enter Centrify RADIUS MFA for the Application label, click Next.
- Check Okta performs primary authentication. (This configuration works for versions 19.4 and below when Centrify PAS is not federated to the domain. Version 19.5 and above can be federated to the domain and use Okta as the master authenticator.)
- For UDP Port enter 1812.
- For Secret Key enter a secret key (will be entered into Centrify PAS also).
- For Application username format select Email.
- For Update application username on select Create and Update.
- Click Done.
- Install the Okta RADIUS Agent on an accessible host (for example, an active connector host). For instructions on how to install the agent, see the Okta documentation: https://help.okta.com/en/prod/Content/Topics/Directory/Agent_Installing_the_Okta_Radius_Agent.htm.
Centrify Privileged Access Service setup
To set up Centrify PAS, perform the following steps:
- Log into the Centrify PAS console as administrator.
- Navigate to Settings > Network > Centrify Connectors. Select an active Connector. Select the RADIUS tab. Check the box "Enable connections to external RADIUS servers." Click Save.
- Navigate to Settings > Authentication. Select the RADIUS Connections tab, select Servers, and click Add.
- Set Name to Okta, enter the hostname or IP address of the host where the Okta RADIUS Agent was installed.
- Set Port to 1812.
- set the Server Secret to the same value entered into the Okta portal.
- Set the Receive Timeout to 30.
- set User Identifier Attribute to Email.
- set Response Input Label to Password.
- Click Save.
- Navigate to Settings > Authentication and click Add Profile.
- For Profile Name enter Okta MFA Authentication Profile.
- For Challenge 1 check third Party RADIUS Authentication.
- Do not check any other authentication mechanisms.
- Click OK.
- Navigate to Access > Roles and create Role Okta MFA User. Set administrative rights to allow Admin Portal Login at a minimum. Add one or more users as members of the role (in this example: firstname.lastname@example.org). Click Save.
- Navigate to Access > Policies and click Add Policy Set.
- Enter the name Okta MFA Policy for the policy, and for Policy Assignment select Specified Roles.
- Click Add and select a role containing the Okta MFA users (in this example: Okta MFA User).
- Navigate to Authentication Policies > Centrify Services. Set Enable authentication policy controls to Yes and set the Default Profile to Okta MFA Authentication Profile.
- Under User Security Policies > RADIUS, set Allow Third Party RADIUS Authentication to Yes.
- Save the policy.
Testing Okta MFA
To test Okta MFA, perform the following steps:
1. Verify that the Okta username is enrolled in your Okta MFA mobile application.
2. Open an incognito browser window and go to the Centrify PAS portal.
5. Enter the PIN from the Okta applicationor enter 1 and approve the request in the Okta application.
6. On successful MFA, the user will be logged into the Centrify PAS portal.