NOTE: This integration requires an Okta feature called "IdP Factor" that Okta still considers EARLY ACCESS. Use at your own risk.



Prerequisites

In order to set up this integration, you need administrative access to Okta and to have already set up Okta as your Identity Provider. In addition, you must have the "IDP Factor" feature turned on for your Okta account. 

Important Information & Known Issues

The Okta IDP as a factor is in early access. This feature will need to be enabled by Okta support. At this time we are not able to predict when Okta will fully release this feature. Additionally, with SP-initiated login flows where the user does not already have an Okta session, Okta will prompt for the login flow and factor two times. 

 

Steps

Step 1. Register Okta as an IDP Routed SaaS App in the Banyan Command Center

1a. In the Banyan Command Center, navigate to “Manage Services” > “SaaS Applications” and click “Publish SaaS Application”. 

 

1b. Select “IDP Routed” from the following prompt.

 

1c. Now name your IDP Routed Service in a way it can be recognized. In this case we named it “Okta IDP Factor”, then modify the redirect URL from Okta if needed. 

1d. Attach a policy to the service and choose either permissive or enforcing. To test we recommend permissive mode. 

 

1e. You will now be able to see the configuration items needed for Okta. At this time please open a new tab with Okta. 

 

1f. Navigate to the Okta Administrator Console and go to “Security” > “Identity Providers”. Then choose “Add Identity Provider” and “Add OpenID Connect IDP”

 

 

1g.  Now use the information from 1e to complete the configuration. Be sure to set the IDP Usage to “Factor Only” and to add the correct scopes of email, openid, groups, and profile. Then click “Add Identity Provider”. 

 

Step 2. Configuring a Fallback Routing Rule.

2a. Navigate to the “Routing Rules” tab in Okta under the same “Identity Provider” screen. Then choose “Add Routing Rule”.

 

2b. Configure the Banyan Fallback routing rule as follows. Be sure to select your TrustProvider application made previously when setting up Okta as your directory of users and use the Identity Provider of Okta. Click “Create Rule”.

 

2c. Be sure this rule is on top of any other routing rules you may have already configured. 

 

Step 3. Configuring the Banyan IDP as a Factor.

3a. In Okta, navigate to “Security” > “Multifactor”. Then under factor types choose “IdP Factor”. Here we will activate the factor and configure Banyan as our IDP of choice.

3b. Go to the Factor Enrollment tab on the same menu. Choose the default for your environment and mark IdP Factor as Required.

3c. Add a rule to your Enrollment policy and specify the applications under the Access To selection in the rule configuration you plan to protect with Banyan. Mark IDP Factor as required. 


3d. Now navigate to the application configuration you wish to protect. In this document, we will be using DropBox Business as an example. Once there go to the “Sign On” tab and scroll down to the applications “Sign On Policy”.


3e. Now click “Add Rule”. Give the rule a friendly name and configure the People, Location, and Client section to suit your needs. Then under the Access section choose “Prompt for factor” and the time settings that fit your requirements. Click “Save” once complete. 

 

Note: If you would like to protect Okta’s administrator console, plugin, or application dock you can apply steps 3c and 3d to the built-in application configurations.

 

Step 4. Testing Banyan IDP Factor

4a. Open up a private browsing window and navigate to your Okta dock login. 

4b. Sign in and select the application which you have protected. In this example we will be going to Dropbox Business

 

 

4c. You should see the following MFA prompt. Simply click verify. 

 

4d. That’s it, you’re in!