Accessing Okta through the mobile browser can be cumbersome and not completely secure when you also have the MFA factors on the same mobile device.
Better would be to access the admin dashboard with the help of Okta mobile, unfortunately it doesn't support any administrative tasks straight from the app itself, but we can leverage it to create a more secure way of accessing the web version.
Setting up a inbound SAML for administrators
As the Okta Org2Org no longer supports inbound SAML back into the same org, we are going to use the standard SAML wizard to create the same method.
Go to the OIN and click on the green button to create a new app, select SAML 2.0
Give the new app a name, eg: Okta admin (Mobile)
If you want, add an icon. I recommend using Okta's logo
Click next
We start with creating a blank setup, we'll have to update it later based on the url's we get from the idP provider section.
Single sign on URL : https://www.www.com
Check Use this for Recipient URL and Destination URL
Uncheck Allow this app to request other SSO URLs
Audience URI (SP Entity ID): https://www.www.com
Default RelayState: https://[DOMAIN].okta.com/admin/dashboard
Name ID format: Unspecified
Application username: Okta Username
Leave advanced options as is, no need to change something there.
Attribute and group attribute statements aren't needed.
Click next
In the next screen select: I'm an Okta customer adding an internal app
And check This is an internal app that we have created
Click finish
You automatically land on the sign-on tab of the newly created SAML app. Click on view setup instructions
Now with the setup instructions page opened, go back to the tab of Okta and navigate to:
Security >> Identity Providers : https://[DOMAIN].okta.com/admin/access/identity-providers
Click Add Identity Provider and select Add SAML 2.0 idP
Set up the idP as followed:
Name: Okta admin (mobile)
idP Username: idpuser.subjectNameId
Filter: Unchecked
Match against: Okta Username
If now match is found: Redirect to Okta sign-in page
Skip JIT settings
IdP Issuer URI: copy the url given at the Identity Provider Issuer section from the setup instructions page
IdP Single Sign-On URL: Copy the url given at the Identity Provider Single Sign-On URL section from the setup instructions page
IdP Signature Certificate: Download the certificate from the setup instructions page and upload that here.
Click Add Identity Provider
Now to finalize the setup, we need to change out the fake urls we put into the fields when we create the SAML app.
While still on the Identity Providers page, the newly created idP now has two url's we can copy over.
Copy the Assertion Consumer Service URL into the SAML app at the Single sign on URL field
Copy the Audience URI URL into the SAML app at the Audience URI (SP Entity ID) field
Lastly, i recommend to set up an app specific MFA rule to make sure access from a mobile is prompted with extra MFA checks.
If you have the Admin notes (EA) feature turned on, you can add a note for your admins, so they now the reason of this app.
Now assign the app to your Admin group, or individual admins.
These admins will get a notifcation on their Okta enduser dashboard, telling that they are assigned to the app. If they click on it, they will be routed to the admin dashboard.
If they have Okta mobile setup and search for the app, the app will SSO them into Okta, prompt them for MFA and redirect them to the admin dashboard immediately.
The Okta dashboard in the Okta mobile app isnt responsive at all! Meaning, the page will get pushed into the available space and certain buttons are overlapping or dissapearing.
But all major administrative tasks are reachable. Tilting your mobile device screen will give someone more room to show all options.
Portrait modeLandscape mode
Some extra tips:
turn on the Multi factor Authentication for Admin to have extra prompts before someone accesses the admin dashboard
Have pincodes mandatory on mobile devices
Turn on TouchID for iOS devices for extra security
If you have any questions, don't hesitate to contact us at support@realconnections.nl for more info!