MFA for On-Prem, including RSA SecurID

The Okta On-Prem MFA agent (formerly named the RSA SecurID agent) acts as a RADIUS client and communicates with your RADIUS enabled on-prem MFA server, including RSA Authentication manager for RSA SecurIDs. This allows your organization to leverage second factor challenges from a variety of on-premises multifactor authentication tools.

Note: If you are currently using theRSA SecurID agent (v. 1.1.0 or below) you should upgrade to the latest version of the On-Prem MFA agent at your earliest convenience. For the latest version and version history, see Okta On-Prem MFA Agent Version History.

Supported Operating Systems

The Okta On-Prem MFA agent can be installed on the following:

  • Windows Server 2008 R2
  • Windows Server 2008 R2 Core – If you are using this version for your installation, please take special note of step 6 under Installing the Agent.
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019

Before You Begin

Before setting up the On-Prem MFA agent within Okta, set up the RADIUS server settings for your secure OAuth vendor.

Enabling the Agent

To enable the On-Prem MFA agent or RSA SecurID, complete the following steps:

  1. From your Administrative Dashboard, Security > Multifactor.
  2. Select the Factor Types tab.
  3. Click the Edit button. The On-Prem MFA factor is not selectable at this time, unless you have set up this factor previously. Select either the RSA SecurID link or the Custom link to continue; the boxes are not selectable, unless you have set up the factor previously.

Disabling SSL Pinning

The following is applicable only to On-Prem MFA agent versions 1.3.0 or later.

Note: For agents on a network containing a web security appliance, it might be necessary to disable SSL pining.

  1. Open the folder where the Okta RSA agent resides. The default installation folder is C:\Program Files (x86)\Okta\Okta RSA Agent\ OR C:\Program Files (x86)\Okta\Okta On-Prem MFA Agent\
  2. From this folder, navigate to current\user\config\rsa-securid\ Before making changes, we recommend creating a back up of this file. Using a text application such a Notepad, open the file current\user\config\rsa-securid\ residing in the Okta RSA agent installation folder.
  3. As line 6, add sslPinningEnabled = false
  4. Save the file.
  5. Restart the Okta On-Prem MFA Agent service using the available Windows administrative tools.

Installing the Agent

  1. Run the On-Prem MFA agent installer.

  2. Click Next through the "Important Information" and "License Information" screens.

  3. Choose your installation folder and click Install.

  4. On the Okta On-Prem Agent Configuration screen, enter your Instance ID. This is accessible from the On-Prem Multifactor Authentication Settings page in the Okta app (see The Custom Option under Enabling the Agent above).

  5. Configure the settings in the Register Okta On-Prem MFA Agent dialog box as follows:

Note: If setting this up to test on your Okta Preview Sandbox org, you'll need to enter the complete URL for your org. For example:

  1. (Windows Server 2008 R2 Core ONLY Open a browser and add the provided URL into the address field. This authorizes the installer to use Okta.

  1. Click the Next button to continue on to an Okta Sign In page.
  2. Sign into Okta on the Sign In screen.

  3. Click the Allow Access button.

  4. The confirmation screen appears. Click the Finish button to complete the installation.

Configuring High Availability

To configure for high availability by installing an additional On-Prem MFA agent, do the following:

  1. From your Administrator Dashboard, select Security > Multifactor > RSA SecurID / On-Prem MFA.
  2. Click the Add New Agent button.
  3. Download the agent with the provided URL, run the installation file, and enter the provided Instance ID when you are prompted to do so.


Uninstalling and Reinstalling Your Agent

When you uninstall a RSA SecurID or On-Prem MFA agent, or reinstall a On-Prem MFA agent, you must decide whether or not you also want to remove the old Okta API token from your system. If you are performing an upgrade, you are not required to do so. To remove the API token, you must delete the Okta RSA SecurID Agent or On-Prem MFA Agent folder, and deactivate and remove your old RSA SecurID / On-Prem MFA agent in Okta.

Note: To avoid down time, you must have at least two agents running before you uninstall one. See Configuring High Availability for more information.


Uninstalling Your Agent

To uninstall your agent, do the following:

  1. On your Windows desktop, select Start > Control Panel > Programs > Programs and Features.
  2. Select the appropriate agent, and then select Uninstall.
  3. From your Administrator Dashboard, select Security > Multifactor > RSA SecurID / On-Prem MFA.
  4. Click the Deactivate button for the agent you want to deactivate and then click the Delete button to remove it from your system.
  5. Uninstalling your On-Prem MFA agent leaves the agent configuration data on your hard drive. To remove the configuration data, go to \Program Files (x86)\Oktaand delete the Okta RSA SecurID Agent or On-Prem MFA folder. Deleting this folder removes the agent configuration data and the API token from your hard drive. The API token for the server is still valid in Okta so it is important to remove the configuration data. See API Tokens for more information.


Reinstalling Your Agent

Installing the agent does not overwrite the configuration data in the On-Prem MFA Agent folders. If you want to reinstall and create a new API token, make sure you delete the On-Prem MFA Agent folder, (as described above) before you reinstall the agent. Then perform the following steps to reinstall your agent, then deactivate and remove the old one in Okta:

  1. Perform the procedure described in Installing the On-Prem MFA Agent above.

  2. From your Administrator Dashboard, select Security > Multifactor and then select the RSA SecurID /On-Prem MFA tab.

  3. Under Agents, there is a list of your agents. Confirm that your reinstalled agent is connected to Okta and appears in the list. You should always make sure to have at least one of the agents online.

    If you are performing an upgrade or reinstallation and do not wish to revoke the Okta API token of the old agent, you are finished. Otherwise, proceed to the next step.

  4. Under Agents, click the Deactivate button for the agent you want to deactivate, then test your system to ensure that it is working properly.
  5. Select Security > API, and then click the trash can icon next to the appropriate agent token. See API Tokens for more information.
  6. Select Security > Authentication and then select the RSA SecurID / On-Prem MFA tab again.
  7. Click the Delete button to remove the agent from your system.