topic Authentication policy in APIs

Authentication policy

avs1 — Tue, 04 Oct 2016 22:02:52 GMT

I was troubleshooting user authentication for Okta, which integrates with Duo via API.
There some reason authentication via API falls under “Other Operating Systems” in Authentication Policy?
Why would this be the case?

Re: Authentication policy

DuoKristina — Wed, 05 Oct 2016 14:52:52 GMT

We can only effectively determine the client operating system when the interactive Duo prompt displays in the browser. You can turn this on for Okta by enabling the new sign-in page.

In the Okta admin console, go to Settings > Appearance
Edit the Sign-In Configuration and enable the “New Sign-In Page” option

With this option on, the Duo interactive prompt will show up instead of Okta’s API buttons.

Re: Authentication policy

avs1 — Wed, 05 Oct 2016 20:22:50 GMT

We don’t allow self-enrollment for the users as per our security requirements.

Re: Authentication policy

DuoKristina — Wed, 05 Oct 2016 20:26:51 GMT

That’s fine, self-enrollment isn’t required for your already enrolled users to utilize the Duo browser-based authentication prompt. Just make sure that your new user policy denies access to unenrolled users and that you haven’t enabled the self-service portal for your Okta application in the Duo Admin Panel.

Re: Authentication policy

avs1 — Wed, 05 Oct 2016 20:30:00 GMT

Are you saying “other” OS is not required to be enabled under authentication policy for Okta application within Duo?

Re: Authentication policy

DuoKristina — Wed, 05 Oct 2016 21:05:53 GMT

If an application is able to display the Duo web-based authentication prompt then we can usually determine the operating system (Windows, MacOS, etc.). If your use case is that access to Okta only comes from one of the operating systems we recognize, then no, you would not need to permit access to “other” operating systems.

Example:

Okta is configured to show the Duo web prompt
The Operating Systems policy is configured to allow all versions of Windows and Android only

User A, on a Mac, is denied access entirely.
User B, on a Windows PC but with Duo Mobile activated on an iPhone, can see the Duo prompt but cannot approve a push auth request sent to the iPhone.
User C, on Ubuntu Linux, is denied access entirely.
User D, on a Windows PC and with Duo Mobile activated on a Samsung Galaxy, is allowed access.

Learn more about the Operating Systems policy in our online Policy documentation.

Re: Authentication policy

avs1 — Wed, 05 Oct 2016 21:27:08 GMT

The integration with Okta is API based, technically users login into Okta so Duo does not have any visibility to which OS users are using: https://duo.com/docs/okta
As far as I understand it Duo sees API call from Okta and from the Authentication policy perspective “other” has to be enabled to authenticate users from Okta as there is no specific check within Authentication Policy referencing API calls. In duo log it was showing authentication rejected based on platform. The authentication was only successfully after the option for “other” OS was enabled.It is not stated as the prerequisite for Okta integration with Duo. Otherwise it does sound like a bug on Duo side.

Re: Authentication policy

DuoKristina — Thu, 06 Oct 2016 13:12:13 GMT

If you scroll up to earlier responses in this thread you’ll see instructions for enabling the web based Duo prompt in Okta (the “New Sign-In Page” option) and also a screenshot of the Okta login experience with the Duo web prompt.