Background
For MSP Partners that have Duo Authentication installed as a 2 Factor Authentication method on their Customer's Systems. Integrating with Quickpass Just in Time Accounts (JIT) will take some additional configuration to ensure that the JIT Account created will be authorized to work with Okta Authentication.
Prerequisites
- Quickpass Tenant includes QGuard (Administrator and Service Account management)
- Login role Primary or Super has enabled JIT for their team via this KB
https://support.getquickpass.com/hc/en-us/articles/14473398505367-How-to-create-and-use-Just-In-Time-Privileged-accounts - Okta Authentication installed on the system in question
- Okta Users (technicians) are configured for Push/2 Factor Authentication
Setup CyberQP Just-in-time Account
1. Navigate to your CyberQP Admin Dashboard.
2. Click into the desired Customer, then select the Just-in-time Accounts menu.
3. Click Active JIT Account, then select Active Directory.
4. Note the Username assigned for the JIT account.
5. Proceed with the JIT account creation, if desired.
Complete Okta Configuration
NOTE: The following steps demonstrate implementation on the Microsoft RDP (MFA) Application. If you have multiple Applications to enforce MFA based on different criteria, the following steps will need to be completed per Application
1. Navigate to your Okta tenant.
2. Click into Applications > Applications > select your active Application that handles MFA for Windows logon sessions (for this example, we will be using Microsoft RDP (MFA)).
3. Click Assignments, and ensure the desired Okta User (technician) is assigned.
4. Click the 'pencil' icon and edit the username to be the same as the CyberQP JIT account username for this specific technician, then Save.
NOTE: If you have multiple Applications to enforce MFA based on different criteria, the above steps will need to be completed per Application
5. Repeat above steps as needed per Okta User (technician) assigned to the Application.
Test Configuration
1. Sign into a machine with MFA enforced using the CyberQP JIT account
2. When the username is entered during sign in, the Okta Application will notice the username of the JIT account and the username of the Okta User assigned to the Okta Application match, then an MFA prompt will display on the machine.
NOTE: If the Authentication polices configured in your Okta tenant permit multiple methods of authentication, and the Okta User has multiple methods of Authentication configured (i.e. Google authenticator, MS Authenticator, Okta Verify), the technician may need to select the drop down to choose their preferred method of authentication.
Comments
0 comments
Please sign in to leave a comment.