Skip to main content

Okta IdP factor MFA integration

ARculix integrates with Okta to enable increased security with Arculix's intelligent Multi-factor Authentication. This integration uses Okta's Custom IdP Factor Authentication feature to enable Arculix's intelligent MFA.

This allows administrators to configure their Okta SSO applications to require Arculix's Smart MFA before authenticating users.

Arculix's intelligent MFA uses many different signals to provide a low-friction increase in security.

Prerequisites

  • Arculix account with a configured Identity Provider and LDAP Agent.

    For more information, see the Arculix LDAP Agent deployment guide.

  • User account with administrative privileges for Arculix.

  • User account with administrative privileges for the Okta panel.

  • Okta's IdP Factor must be enabled as a multifactor type.

  • The Arculix Base URL for your account.

Add a new IdP

In the Okta admin panel, add a new SAML Identity Provider.

  1. Select Security > Identity Providers.

    okta-idp.png
  2. Click Add Identity Provider button and select Add SAML 2.0.

    okta_idp_dropdown.png
  3. In the Add Identity Provider section, set the following:

    Note

    Your Base URL is the SSO landing page for your account, in the format: https://sso.arculix.com/my-organization.

    Name

    Enter a unique name.

    For example, Arculix IdP Factor.

    IdP Usage

    Set to Factor only.

    IdP Issuer URI

    Enter [your Base URL]/saml.

    For example, https://www.sso.arculix.com/example/saml.

    IdP Single Sign-On URL

    Enter [your Base URL]/saml/idp_factor.

    For example, https://www.sso.arculix.com/example/saml/idp_factor.

    IdP Signature Certificate

    Download certificate at [Base URL]/saml/download/cert.

    okta_add_idp.png
  4. Click Add Identity Provider to save.

Configure IdP Factor MFA

In the Okta admin panel, add the IdP as a custom MFA factor.

  1. Select Security > Multifactor > IdP Factor.

  2. Click Edit.

  3. Select the Identity Provider that was created in the previous section. For example, Arculix IdP Factor.

    okta_idp_factor.png

Set Sign On Policy for Application

In the Okta admin panel, add a sign on policy to your application to force MFA for application logins.

  1. Select Applications, then click the application you would like to enable Arculix MFA for.

  2. In the Application Settings section, click Sign On.

  3. In the Sign On Policy section, select click Add Rule.

    okta_sign_on_policy.png
  4. In the Actions section, select the check box for Prompt for factor and select Every Sign on.

  5. Click Save.

Arculix SAML configuration as an Identity Provider (IdP)

In this section, you'll add an application for Okta IdP Factor and set the SAML configuration settings. This will be the Identity Provider (IdP) side of the configuration.

Note

Some required information can be found in Okta in the Security > Identity Providers section by clicking the arrow icon next to the Arculix Identity Provider that was created earlier.

okta_identity_providers.png
  1. Log in to Arculix with an administrative account and go to Applications.

  2. Click Create New Application.

    Create new application
  3. In the New Application form, on the General tab, set the following configurations:

    Name

    Set the name of the application. This is the name to display for push notifications, in the Admin panel, Application portal, and audit logs.

    For example, Okta Idp Factor.

    Type

    Set to SAML Service Provider.

    Out of Band Methods

    Select the allowed methods end users can choose to approve MFA requests.

    For example, Arculix Mobile app (push notifications), SMS, or Security Key.

    Message for MFA Requests

    (Optional) Type a message displayed to end users when sending an MFA request via push notification, SMS, or email.

    arculix_new_app_okta_idpf.png
  4. Select the SAML Service Provider Configuration tab, and set the following configurations:

    Upstream IdP

    Select the check box.

    Issuer or Entity ID

    Enter the Audience URI provided by Okta.

    Log in URL

    Enter the Audience URI provided by Okta.

    Metadata URL

    Enter the Metadata URL provided by Okta.

    Username Field for Upstream IdP

    Select the Active Directory field that is configured as your organization's Okta username.

    ACS URL

    Enter the Assertion Consumer Service URL provided by Okta.

    Certificate

    Enter the X.509 public certificate downloaded from Okta.

  5. Save your changes.

User experience

  1. After the admin has enabled IdP factor MFA, the user will be prompted to add this custom factor on their next login via Okta.

  2. The user then selects the IdP Factor option and is taken to a QR pairing screen.

  3. They can then download the Arculix mobile application from Google Play Store or Apple App Store.

  4. The user opens the mobile application and is prompted to scan the displayed QR code.

  5. After scanning the QR, the user's device is paired.

  6. On subsequent authentication attempts, the user will be asked to confirm the Idp factor MFA and be taken to the select MFA option by Okta.

  7. Upon approval of MFA, the user will be authenticated to their application.

Support

If you have questions or need assistance, contact SecureAuth Support.

Sales

Want to learn more about our MFA solutions? Contact our Professional Services for a demo today.

Disclaimer

All product names, trademarks, and registered trademarks are the property of their respective owners.

All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the SecureAuth Corporation.