Okta Administration - mobile access

Accessing Okta through the mobile browser can be cumbersome and not completely secure when you also have the MFA factors on the same mobile device.

Better would be to access the admin dashboard with the help of Okta mobile, unfortunately it doesn't support any administrative tasks straight from the app itself, but we can leverage it to create a more secure way of accessing the webversion.

 

Setting up a inbound SAML for administrators

As the Okta Org2Org no longer supports inbound SAML back into the same org, we are going to use the standard SAML wizard to create the same method.

 

Go to the OIN and click on the green button to create a new app, select SAML 2.0

Screen_Shot_2018-06-22_at_2.01.31_PM.png

Give the new app a name, eg: Okta admin (Mobile)

If you want, add an icon. I recommend using Okta's logo

Click next

We start with creating a blank setup, we'll have to update it later based on the url's we get from the idP provider section.

Single sign on URL : https://www.www.com
Check Use this for Recipient URL and Destination URL
Uncheck Allow this app to request other SSO URLs
Audience URI (SP Entity ID): https://www.www.com
Default RelayState: https://[DOMAIN].okta.com/admin/dashboard
Name ID format: Unspecified
Application username: Okta Username
Leave advanced options as is, no need to change something there.
Attribute and group attribute statements aren't needed.

 
Screen_Shot_2018-06-22_at_2.11.34_PM.png

Click next

In the next screen select: I'm an Okta customer adding an internal app
And check This is an internal app that we have createdScreen_Shot_2018-06-22_at_2.13.39_PM.png

Click finish
 
You automatically land on the sign-on tab of the newly created SAML app. Click on view setup instructions

Screen_Shot_2018-06-22_at_2.14.56_PM.png

Now with the setup instructions page opened, go back to the tab of Okta and navigate to:
Security >> Identity Providers : https://[DOMAIN].okta.com/admin/access/identity-providers
 
Click Add Identity Provider and select Add SAML 2.0 idP 

Screen_Shot_2018-06-22_at_2.16.42_PM.png

Set up the idP as followed:
Name: Okta admin (mobile)
idP Username: idpuser.subjectNameId
Filter: Unchecked
Match against: Okta Username
If now match is found: Redirect to Okta sign-in page

 Skip JIT settings

IdP Issuer URI: copy the url given at the Identity Provider Issuer section from the setup instructions page
IdP Single Sign-On URL: Copy the url given at the Identity Provider Single Sign-On URL section from the setup instructions page
IdP Signature Certificate: Download the certificate from the setup instructions page and upload that here.

Screen_Shot_2018-06-22_at_3.01.21_PM.png

Click Add Identity Provider Screen_Shot_2018-06-22_at_2.58.30_PM.png

Now to finalize the setup, we need to change out the fake urls we put into the fields when we create the SAML app.

While still on the Identity Providers page, the newly created idP now has two url's we can copy over.

Copy the Assertion Consumer Service URL into the SAML app at the Single sign on URL field
Copy the  Audience URI URL into the SAML app at the Audience URI (SP Entity ID) field

Screen_Shot_2018-06-22_at_3.13.14_PM.png

Lastly, i recommend to set up an app specific MFA rule to make sure access from a mobile is prompted with extra MFA checks.

Screen_Shot_2018-06-22_at_3.07.14_PM.png

If you have the Admin notes (EA) feature turned on, you can add a note for your admins, so they now the reason of this app.

Screen_Shot_2018-06-22_at_3.08.48_PM.png 

Now assign the app to your Admin group, or individual admins.

These admins will get a notifcation on their Okta enduser dashboard, telling that they are assigned to the app. If they click on it, they will be routed to the admin dashboard.

Screen_Shot_2018-06-22_at_3.09.48_PM.jpg

If they have Okta mobile setup and search for the app, the app will SSO them into Okta, prompt  them for MFA and redirect them to the admin dashboard immediately.

The Okta dashboard in the Okta mobile app isnt responsive at all! Meaning, the page will get pushed into the available space and certain buttons are overlapping or dissapearing. 

But all major administrative tasks are reachable. Tilting your mobile device screen will give someone more room to show all options. 

Portrait modeIMG_3699.PNGLandscape modeIMG_3700.PNG

Some extra tips:
turn on the Multi factor Authentication for Admin to have extra prompts before someone accesses the admin dashboard
Have pincodes mandatory on mobile devices
Turn on TouchID for iOS devices for extra security

If you have any questions, don't hesitate to contact us at support@realconnections.nl for more info!