10-04-2016 03:02 PM
I was troubleshooting user authentication for Okta, which integrates with Duo via API.
There some reason authentication via API falls under “Other Operating Systems” in Authentication Policy?
Why would this be the case?
10-05-2016 07:52 AM
We can only effectively determine the client operating system when the interactive Duo prompt displays in the browser. You can turn this on for Okta by enabling the new sign-in page.
With this option on, the Duo interactive prompt will show up instead of Okta’s API buttons.
10-05-2016 01:22 PM
We don’t allow self-enrollment for the users as per our security requirements.
10-05-2016 01:26 PM
That’s fine, self-enrollment isn’t required for your already enrolled users to utilize the Duo browser-based authentication prompt. Just make sure that your new user policy denies access to unenrolled users and that you haven’t enabled the self-service portal for your Okta application in the Duo Admin Panel.
10-05-2016 01:30 PM
Are you saying “other” OS is not required to be enabled under authentication policy for Okta application within Duo?
10-05-2016 02:05 PM
If an application is able to display the Duo web-based authentication prompt then we can usually determine the operating system (Windows, MacOS, etc.). If your use case is that access to Okta only comes from one of the operating systems we recognize, then no, you would not need to permit access to “other” operating systems.
Example:
User A, on a Mac, is denied access entirely.
User B, on a Windows PC but with Duo Mobile activated on an iPhone, can see the Duo prompt but cannot approve a push auth request sent to the iPhone.
User C, on Ubuntu Linux, is denied access entirely.
User D, on a Windows PC and with Duo Mobile activated on a Samsung Galaxy, is allowed access.
Learn more about the Operating Systems policy in our online Policy documentation.
10-05-2016 02:27 PM
The integration with Okta is API based, technically users login into Okta so Duo does not have any visibility to which OS users are using: https://duo.com/docs/okta
As far as I understand it Duo sees API call from Okta and from the Authentication policy perspective “other” has to be enabled to authenticate users from Okta as there is no specific check within Authentication Policy referencing API calls. In duo log it was showing authentication rejected based on platform. The authentication was only successfully after the option for “other” OS was enabled.It is not stated as the prerequisite for Okta integration with Duo. Otherwise it does sound like a bug on Duo side.
10-06-2016 06:12 AM
If you scroll up to earlier responses in this thread you’ll see instructions for enabling the web based Duo prompt in Okta (the “New Sign-In Page” option) and also a screenshot of the Okta login experience with the Duo web prompt.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide