Documentation

Okta Multifactor Authentication

Suggest Edits

Using Okta MFA for Opal logins

For logins, you must do 3 things:

  1. Setup Okta as your SAML provider. For instructions, see here.
  2. In Okta, configure your Opal SAML app to require MFA for login.
  3. In Opal, ensure that the Require Opal MFA for logins setting is off.
1592

Using Okta MFA for Opal actions: requesting, approving, connecting [Legacy]

🚧

This MFA option only supports the following MFA factors:

  • Okta Verify TOTP
  • Okta Verify Push

If you'd like to use WebAuthn (Yubikey, TouchID) in addition to Okta Verify, follow the instructions to use an OIDC Provider: https://docs.opal.dev/docs/oidc-provider-setup-for-opal-actions

Note: The Okta API token requires Group Administrator permission at the minimum.

First, go to the resource(s) you want to require MFA for. Then, under Overview > MFA Information, turn on the desired setting:

884

Then, in your organization's settings, then turn on the following setting in the Authentication section:

960

Requirements for Okta Verify Push

When a push notification is sent to the Okta Verify app, the location associated with the user agent is included to prevent phishing. Here is an example:

750

Opal's IP ranges must be added to the allowlist in your org's network security settings as a trusted proxy to forward the user agent's original IP address with the X-Forwarded-For HTTP header.

Note: If running Opal self-hosted, please use the public IP ranges for your infrastructure.

Navigate to the Admin section in Okta:

  • Under Security, click Networks.
  • Edit the allowlist IP zone.
  • Add the IP ranges under Trusted proxy IPs, like so:
1718

Updated about 1 year ago