Symantec VIP (MFA)

Symantec Validation and ID Protection Service (VIP) is a cloud-based authentication service that enables secure access to networks and applications.

To enable this authenticator, you first obtain a certificate from the Symantec VIP Manager and then upload it to Okta. When Symantec VIP is enabled, Symantec VIP-registered users who select it when authenticating are prompted to enter a time-based passcode generated by the Symantec VIP app.

Before you begin

Gather and record the following information before you enable this authenticator or update the certificate:

  • An admin account in Symantec VIP Manager.
  • A certificate from Symantec VIP Manager (must be in PKCS#12 file format).
  • The password you entered when you obtained the certificate.

Enable Symantec VIP as an MFA factor

  1. In the Admin Console, go to SecurityMultifactor.

  2. On the Factor Types tab, click Symantec VIP.
  3. Click Browse to select the certificate that you obtained from Symantec VIP Manager.
  4. Enter the password that you used when you obtained the certificate from Symantec VIP Manager.
  5. Click Upload Certificate.
  6. Click Inactive in the upper right and then select Activate.

Replace the Symantec VIP certificate through the Okta Admin Console

Perform these steps if you need to replace the certificate for any reason, such as before it expires. Certificates are typically valid for two years. The expiration date is shown in Certificate details in the Factor Types tab.

  1. Obtain a new certificate from Symantec VIP Manager.

  2. In the Admin Console, go to SecurityMultifactor.

  3. On the Factor Types tab, click Symantec VIP and then click Edit.
  4. Click Browse to select the certificate that you obtained from Symantec VIP Manager.

  5. Enter the password that you used when you obtained the certificate from Symantec VIP Manager.

  6. Click Upload Certificate.
  7. Click Inactive in the upper right and then select Activate.

End-user experience

First-time authentication

The first time you sign in to Okta after your admin has configured Symantec VIP as a factor in Okta, you're prompted to set up Symantec VIP.

  1. Make sure you've installed the VIP Access app on your mobile device.

  2. In the web browser on your computer, sign in to your Okta org.

  3. Click Set up.

  4. On your mobile device, open the VIP Access app:

  5. In the web browser on your computer, enter the following information in the Set up Symantec VIP page:
    • Credential ID (no spaces)
    • Security code 1. Enter a six-digit code.
    • Security code 2. Enter the next six-digit code. Enter all codes in the same order as they appear in the app.
  6. Click Enroll.

Subsequent authentications

  1. In the web browser on your computer, enter your Okta username to sign in to your Okta org.

  2. Click Select for Symantec VIP.

  3. Enter your Okta password and click Verify.

  4. On your mobile device, open the VIP Access app to obtain a six-digit security code.
  5. In the web browser on your computer, enter the security code in the Verify with Symantec VIP page.

  6. Click Verify.

Known issue

Users are unenrolled from their other, non-Okta Symantec VIP enrollments when they remove their Okta-based enrollment from their Okta Settings page. If this happens, they need to re-enroll in their non-Okta-based Symantec VIP enrollments.