Duo Security’s authentication platform secures access to Okta, extending two-factor protection to web applications launched from an Okta browser session.
You may need to contact Okta Support to have the Duo Multifactor option enabled for your account before you can complete setup.
This application communicates with Duo's service on TCP port 443. Firewall configurations that restrict outbound access to Duo's service with rules using destination IP addresses or IP address ranges aren't recommended, since these may change over time to maintain our service's high availability. If your organization requires IP-based rules, please review this Duo KB article.
The security of your Duo application is tied to the security of your secret key (skey). Secure it as you would any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!
We recommend enabling Okta's "New Sign-In Page" if you haven't already so your users can take advantage of the interactive Duo Prompt. To turn this feature on:
Navigate to Settings → Appearance as an Okta administrator.
Click the Edit button next to "Sign-in Configuration".
Change the New Sign-In Page option to Enable. Optionally upload a background image, and then click *Save**.
Navigate to Security → Authentication. Click on Duo then click the "Duo Security Settings" Edit button. If you don't see Duo Security listed, contact Okta Support to have it enabled on your account.
Fill out the form with your Duo Okta application information as follows.
|Integration Key||Your integration key (i.e.
|Secret Key||Your secret key|
|API Hostname||Your API hostname (i.e.
|Duo Username Format||Select the name format used to log in to Okta.|
Click the Save button when done.
While still on the "Authentication" settings page, click on Multifactor and click the "Factor Types" Edit button.
Select Duo Security and click Save.
Click the Security menu at the top and go to Policies. Click the Okta Sign-on tab.
You can either add a new rule for Duo Authentication to an existing policy, or create a new policy for Duo and assign it to specific groups. In this example, we'll turn on Duo for all users in the "Default Policy".
Click on the Default Policy, and then click the Add Rule button. Enter a name for your new Duo rule and exclude any users you don't want using Duo when logging in to Okta. Check the Prompt for Factor box to enable secondary authentication and determine whether you want 2FA required "Per Device", "Every Time", or "Per Session". Choose your desired options for the other rule settings and click Create Rule when finished.
The Okta sign-on policy shows your new Duo rule.
Learn more about creating Okta policies or see additional information about configuring Duo authentication in the Okta online help center.
Please contact Okta support if you have any questions about the integration or need assistance configuring your authentication and multifactor settings. Contact Duo Support for assistance with the Duo service.
Okta prompts new, unenrolled Duo users to setup multifactor authentication at the first login to Okta after Duo is enabled. Click the Setup button for Duo Security.
A "Setup Duo Security" window displays the Duo enrollment prompt. Complete Okta's multifactor setup by stepping through Duo enrollment.
When Duo enrollment is completed, users can choose one of the Duo authentication options to access Okta.
If you didn't enable Okta's new sign-in page then users see a different Duo multifactor prompt. This prompt doesn't allow for inline enrollment or device management.