Okta / Foxpass password delegation
This describes how to set up Foxpass to delegate password verification to Okta.
1. Create a new Okta user
Go to "Admin", then "Directory", then "Add Person". Add a user named "Foxpass"
2. Make that user an admin
Go to "Admin", then "Security", then "Administrators". Give the "Foxpass" user Read-Only Admin rights. If you would like to keep 2FA on for requests from Foxpass, give the user Group Admin rights instead.
3. Get that user's API key
Log into Okta as the Foxpass user we created in step 1. Generate an API key using the instructions from Create an API Token.
4. Put that API key into Foxpass
Go to the Foxpass 'Auth Settings' page. Go to 'Delegate authentication to' and choose 'Okta' from the dropdown.
Enter your Okta site's URL and the API key you generated above.
5. Add 2-factor exemption
Okta's two-factor is compatible with Foxpass's LDAP interface. If you plan to use Foxpass's Cloud RADIUS interfaces, then using 2FA is not recommended because users will be prompted to verify 2FA at least every hour, and possibly every time the user connects to a new access point. As for LDAP, bypassing MFA may be desired depending on how you're integrating Foxpass with your application.
To disable Okta's MFA you need to add our outbound IP addresses to be "in-zone" in Okta.
First, go to the Networks page under the Security header in the admin interface. Create a zone to include our outbound IP addressees (below).
35.168.179.228
18.206.75.69
52.55.180.22
35.153.120.184
To see the updated IP addresses for delegated authentication, you can visit this page:
Delegated Authentication IP Addresses
Then, go to the Authentication section under the Security header and select the Okta Sign On Policy tab. Now, add an exemption to any two-factor policy the IP zone you used previously. You can do this by selecting your MFA rule and setting "IF User's IP is: Not In Zone" and selecting the zone you added Foxpass's IP's to. Then you're all good to go!
6. Add ThreatInsight exemption
Include the zone you created in step 5, above, as an "exempt zone". See example screenshot, below.
Updated 2 months ago