User Guide
Release Notes

Okta MFA status

Additional steps may be needed to fully gather enrolled MFA factors for Okta identities

If your Okta Multi-factor enrollment policies are such that traffic from Veza's Cloud IP Addresses is denied the ability to use a factor, Veza will not be able to detect user enrollment in that factor. As a result, the "MFA Active" property for Okta users will be "False," even if factors are enabled for the user. To prevent this, you can can:

  • Configure an Okta Network Zone that allows optional MFA factors

  • Use an Insight Point to connect to Okta from an IP address internal to your data center that does not have these restrictions

See below for more details and steps to enable:

Background

Okta MFA enrollment policies have the ability to not only set enrollment but also define usage. MFA enrollment policies work by evaluating from the highest priority to the lowest priority at the policy level (filtered by groups), and then at the rule level (filtered by Network Zones and App Condition).

This means that if there is not a policy rule that fits the incoming request, Okta will check the next policy that applies to the user until it finds one (Default Policy applies to everyone and Default Rule applies everywhere).

Resolution

There are 2 options to allow Veza to fully collect MFA enrollment.

  1. Configure a Network Zone specifically for the Veza IP Addresses and allow the factors as optional at the Policy level and deny the Enrollment at the Policy Rule Level:

    • Create an Okta Group to control scope during deployment.

    • Configure Network IP Zones for Veza's Cloud IP Addresses under Gateway IPs.

    • Create a Veza MFA Enrollment Policy.

      • For Assigned Groups, enter the group created in step 1.

      • All authenticators are Optional (OIE requires 1 as Required).

      • Create a Veza Policy Rule:

        1. IF User's IP is "in zone" (Add the Zone for Veza's Cloud IP Addresses)

        2. AND User is accessing "Okta"

        3. THEN Enrollment is "Allowed if required authenticators are missing".

    • Test the configuration by adding users to the group.

      • Veza should see everything and user experience should not be affected.

      • After testing, Remove the "Assigned" Group, and Apply the "Everyone" group.

  2. Have Veza traffic to Okta run through an Insight Point installed in your data center. This asumes your data center IP Addresses do not have the same restrictions as Veza's Cloud IP Addresses.

PreviousOktaNextOneLogin

Last updated