Skip to content

How To Integrate Okta with HySecure Gateway for Two-Factor Authentication

Okta is a trusted platform which provides cloud software that helps companies manage and secure user authentication into applications, and for developers to build identity controls into applications, website web services and devices

Okta provides Single sign on, two factor authentications technologies in cloud managed environment and can be integrated with LDAP/RADIUS supported software.

This article provides architecture, flow diagram & step by step guide for integrating Okta set up with HySecure secure Access gateway.

Pre-requisites

  • Okta AD Agent on a Member Server (recommended by Okta) in the same domain that you want to integrate with. Windows Server 2008 and above only

    (For our test integration we had used OktaADAgentSetup-3.4.13 downloadable from the official Okta website.)

  • The AD Agent installation guidelines/steps are in the document linked below. Follow the steps as given, to integrate your AD with an Okta AD Agent which in turn would be integrated with the Okta Cloud.

    https://help.okta.com/en/prod/Content/Topics/Directory/ad-agent-install.htm

    Ensure port 443 is open and reachable to the Okta Cloud server as the Okta AD Agent will communicate with Okta Cloud on port 443.

Architecture Diagram

Control Flow

  1. User enters the username, AD password and the OTP from MFA app configured in Okta (Eg: Okta verify, Google Authenticator, etc) in the HySecure client.

  2. The username, password and OTP are passed on to the HySecure gateway from the HySecure client.

  3. HySecure gateway sends the credentials to the AD configured in the gateway to authenticate the user.

  4. Next, after successful authentication from AD, the username and the entered OTP is sent to the Okta RADIUS server.

  5. The HySecure gateway is configured as the RADIUS client and the Okta RADIUS server agent's machine details are added in it. The Okta RADIUS server agent contacts the Okta cloud which has the AD users imported via the Okta AD Agent. Okta RADIUS server agent will act as a proxy between RADIUS Client configured on HySecure gateway and Okta Cloud.

  6. The RADIUS app configured in Okta also has the shared secret configured. It authenticates the user and sends back the response.

  7. Post this the user is authenticated.

  8. The authorization is done by the AD as configured in the authentication domain in HySecure.

  9. After this, the user successfully logs in to HySecure with 2FA from Okta and can access authorized applications.

Use of Okta AD Agent

For integrating Okta cloud with HySecure gateway, we need to have Okta AD agent (For extending AD/ LDAP database with Okta cloud) and Okta Radius Server agent. The Okta AD agent is acting as the proxy between Active directory and Okta cloud.

Once the Okta AD Agent is configured, the users and groups from the local AD must be imported to Okta cloud. This step ensures all users, groups in the AD are also present in Okta. This syncing of Okta cloud with AD can be scheduled from the Okta admin dashboard daily/hourly as per requirement. This enables users to authenticate with Okta RADIUS since the RADIUS server Agent contacts Okta cloud for user information.

Procedure

  1. Add an MFA authenticator application: (Eg: Okta Verify, Google Authenticator)

    We have used Okta Verify for our testing purpose.

    Install the app in your phone. Open the app on your mobile device and scan the QR code to register your user with Okta Verify.

    https://cdn.apkmonk.com/images/com.okta.android.auth.png

  2. Add the RADIUS App from Okta Admin console. Assign it to users.

    Go to the RADIUS App settings. Go to the Sign-on tab.

    Important

    Make sure the check box "Okta performs primary authentication" is unchecked.

  3. Okta RADIUS Server Agent:

    1. Install Okta RADIUS Server Agent on a Windows Server machine (2008 and above only). Please refer the official Okta link for the procedure : https://help.okta.com/en/prod/Content/Topics/Directory/Agent_Installing_the_Okta_Radius_Agent.htm

    2. Set the secret key and the desired port number to be used for RADIUS (default 1812).

    3. Ensure port 443 is open and reachable to the Okta Cloud server as the Okta RADIUS Server Agent will communicate will contact Okta Cloud on port 443.

  4. Configure HySecure:

    Considering that Organization's Active directory / LDAP is already added as authentication server, we need to follow below steps:

    1. Login to HySecure with an SO user to add this server as RADIUS server in HySecure.

    2. On the HySecure Gateway make sure port 1812 is open. It should have internet connectivity.

    3. Add a new Authentication server by navigating to Auth Management> Authentication Servers > Add >

      Add the details of the RADIUS server machine. Make sure to set the same secret key and port number.

    4. Configure the Authentication domain in this way:

      Authentication server: Okta RADIUS server

      Authorization server: AD

      Check Enable additional authentication with this server. Refer the figure below:

      In the above screenshot, "Okta radius" is RADIUS authentication server and support.local is active directory configured in HySecure gateway.

    5. Make a HySecure domain for Okta. Login to that organization (HySecure domain/realm).

    6. Log in with your AD user name, your AD password and OTP from the MFA app (Okta Verify)

    7. After this you are logged in. Now the authorized user can access desktops/apps.