Better together: Okta Device Access and Okta FastPass

Access Management, Device Access, Device Integrations, Integrations, Jamf, Kandji, MS Intune, Okta Identity Engine (OIE), SSO 7 Minutes

Introduction

Combining security and user experience sometimes seems to be a challenging endeavour.
In the last few weeks I have been asked by colleagues but also customers, hey I have now successfully implemented Okta Device Access, where I log on to my end device with a strong factor.
But how can I now offer my end users a nice user experience when they navigate to the
Okta End-User Dashboard after a successful and secure login to access the applications they need for their daily work??
The term “True Device Single-Sign-On” is often used in this context.

I have given this some thought and would like to briefly outline in this blog post how such a target scenario could be achieved and perhaps also implemented in your environments.
I would like to point out that this is my personal approach and that it may not meet all requirements in other companies.

However, I am convinced that with the current functionalities of Okta Device Access and Okta FastPass, security and user experience can be successfully implemented.
Because…. It’s possible. It’s Okta!

macOS Okta Device Access and FastPass experience

In this blog we start the other way around and look at the possible end result in a short demo.
The user logs in via Okta Device Access Desktop MFA on their macOS device with a Yubikey and then uses Okta FastPass and the corresponding authentication policies to log in seamlessly to the Okta End-User Dashboard and access applications in a secure context.

I have written several blogs about how to configure Okta Device Access Desktop MFA with different MDM vendors, you can find them here.

Enable Okta FastPass

One component of the whole scenario is Okta FastPass that provides passwordless authentication.
To configure Okta FastPass navigate to  Security –> Authenticators in the Okta Admin Console.

in the Setup tab, click Actions –> Edit for Okta Verify.

In the Verification options section, select Okta FastPass (all platforms) and Configure whether the Sign in with Okta FastPass button is displayed in the Sign-In Widget.

Enroll Okta FastPass on macOS

Enrolling FastPass is a very simple and easy task, especially if you use
Okta Desktop Password Sync for macOS.
Why?
Because as part of the enrollment process, Okta Verify will open, register the device, and enroll in FastPass as part of the streamlined onboarding flow.

You can review how to configure Okta Desktop Password Sync for macOS on my different blog post, which also include demos.

Configure authentication policies

In the next section I would like to briefly explain, how I’ve configured the Okta authentication policies to achieve the desired True Device SSO result, that is shown in the initial demo in this blog.

Okta Dashboard

In the Okta Admin console, navigate to Security –> Authentication Policies

Open the Okta Dashboard policy

In the Rules section click on Add rule

  1. Give the rule a name
  2. *optional* Select a group to which this rule should be applied
  3. Select Registered as the Device state
  4. Select your Device management status
  5. Select Possession Factor
  6. Only select Phishing Resistant and Hardware protected
  7. Allow or Disallow specific authentication methods
  8. In best case for every sign in
  9. Save your settings

The new rule has now been successfully created and is enabled.

Application Policy

This is just an example how a authentication policy could look like in my example

  1. The User must authenticate with a e.g. Possession factor
  2. Select the type of factor you want to use for the specific application policy
  3. Every time user signs in

Additional configurations on macOS Devices

To get the best possible user experience, I recommend the following configuration on macOS devices.

Configure SSO extension for managed macOS devices

On managed devices, the most secure and seamless way to authenticate on Safari and in-app browsers is with Apple’s SSO extension. The SSO extension hides the Open Okta Verify browser prompt, and introduces phishing resistance properties to the authentication flow.
You can use this template, please replace YOUR_OKTA_URL, with your Okta org domain save it as an .mobileconfig file and deploy it to your macOS devices.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>ExtensionIdentifier</key>
			<string>com.okta.mobile.auth-service-extension</string>
			<key>Hosts</key>
			<array>
				<string>YOUR_OKTA_URL</string>
			</array>
			<key>PayloadDisplayName</key>
			<string>Single Sign-On Extensions #1</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.extensiblesso.E904C294-084C-4EC8-8E53-0B15B05ECFF1</string>
			<key>PayloadType</key>
			<string>com.apple.extensiblesso</string>
			<key>PayloadUUID</key>
			<string>E904C294-084C-4EC8-8E53-0B15B05ECFF1</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>Realm</key>
			<string>Okta Device</string>
			<key>TeamIdentifier</key>
			<string>B7F62B65BN</string>
			<key>Type</key>
			<string>Credential</string>
		</dict>
	</array>
	<key>PayloadDisplayName</key>
	<string>SSO_Extension</string>
	<key>PayloadIdentifier</key>
	<string>TEMPLATE.64060CB2-F03C-4EC4-8E58-5AB9D011397E</string>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>CCCFE76B-5BE6-4469-9FF0-20F9FE902372</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>

Configure auto-launch Okta Verify on macOS devices

In Chrome Browsers, users can authenticate silently with Okta FastPass only if Okta Verify is running. Otherwise, users receive the Sign in with Okta FastPass prompt which launches Okta Verify. To simplify the user experience, you can set Okta Verify as a Login Item through the
Apple MDM payload.
You can use this template, save it as an .mobileconfig file and deploy it to your macOS devices.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>AutoLaunchedApplicationDictionary-managed</key>
			<array>
				<dict>
					<key>AuthenticateAsLoginUserShortName</key>
					<false/>
					<key>Hide</key>
					<false/>
					<key>Path</key>
					<string>/Applications/Okta Verify.app</string>
				</dict>
			</array>
			<key>PayloadDisplayName</key>
			<string>Login Items</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.loginitems.managed.1BCCF4C0-1329-41FE-BE6E-414271F2FE1C</string>
			<key>PayloadType</key>
			<string>com.apple.loginitems.managed</string>
			<key>PayloadUUID</key>
			<string>1BCCF4C0-1329-41FE-BE6E-414271F2FE1C</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
		</dict>
	</array>
	<key>PayloadDisplayName</key>
	<string>OV_Auto_Lauch</string>
	<key>PayloadIdentifier</key>
	<string>SAMPLE.0AFCB7B2-4F02-4967-886E-361260BFED01</string>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>92B1DD97-7D9D-4F12-9E56-4644CE991102</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>

Windows Okta Device Access and FastPass experience

On the Windows side of the house the could look the following like.
The user logs in passwordless via Okta Device Access Desktop MFA on the WIndows device and then uses Okta FastPass and the corresponding authentication policies to log in seamlessly to the Okta End-User Dashboard and access applications in a secure context.

Also on the topic Desktop MFA I have written several blogs about how to configure Okta Device Access Desktop MFA with different MDM vendors, you can find them here.

Enroll Okta FastPass on Windows

Enrolling Okta FastPass on Windows also is a very simple and easy task, I’ve prepared a short demo here.

Skip the Open Okta Verify prompt

Users of Google Chrome and Microsoft Edge might encounter a prompt labeled “Open Okta Verify?” when attempting to access an application secured by a policy permitting passwordless login via Okta Verify.

To streamline this process, you can activate the ExternalProtocolDialogShowAlwaysOpenCheckbox policy on both Chrome and Edge browsers. This policy determines if the “Always open” checkbox is displayed in the external protocol dialog, enabling users to bypass future confirmation prompts.

For Chrome: Refer to the Google ExternalProtocolDialogShowAlwaysOpenCheckbox policy.
For Microsoft Edge: Refer to the Microsoft ExternalProtocolDialogShowAlwaysOpenCheckbox policy


Now have fun configuring and testing this approach 🙂

Published by Arkadiusz Krowczynski (Arki)

Published

One thought on “Better together: Okta Device Access and Okta FastPass

  1. What are the names of the preference domains for the configuration profiles setting eSSO and Okta Verify login items?

    Reply

Leave a Reply