Symantec VIP (MFA)

Symantec Validation and ID Protection Service (VIP) is a cloud-based authentication service that enables secure access to networks and applications. You can add Symantec VIP as a multifactor authentication (MFA) option in Okta. To enable Symantec VIP for multifactor authentication, you first obtain a certificate from the Symantec VIP Manager and then upload it to Okta. When Symantec VIP is enabled, Symantec VIP-registered users who select it when authenticating are prompted to enter a time-based passcode generated by the Symantec VIP app.

Before you begin

Ensure you have the following:

  • An admin account in Symantec VIP Manager.

  • A certificate from Symantec VIP Manager (must be in PKCS#12 file format).

  • The password you entered when you obtained the certificate.

Add Symantec VIP as a factor

  1. In the Admin Console, go to Security > Multifactor.
  2. On the Factor Types tab, click Symantec VIP.
  3. Click Browse to select the certificate that you obtained from Symantec VIP Manager.
  4. Enter the password that you used when you obtained the certificate from Symantec VIP Manager.
  5. Click Upload Certificate.
  6. Click Inactive in the upper right and then select Activate.

Replace the Symantec VIP certificate through the Okta Admin Console

Perform these steps if you need to replace the certificate for any reason, such as before it expires. Certificates are typically valid for two years. The expiration date is shown in Certificate details in the Factor Types tab.

  1. Obtain a new certificate from Symantec VIP Manager.
  2. In the Admin Console, go to Security > Multifactor.
  3. On the Factor Types tab, click Symantec VIP and then click  Edit.
  4. Click Browse to select the certificate that you obtained from Symantec VIP Manager.
  5. Enter the password that you used when you obtained the certificate from Symantec VIP Manager.

  6. Click Upload Certificate.
  7. Click Inactive in the upper right and then select Activate.

End-user experience

Note

Although end users can access Okta from a mobile device, these procedures assume they're accessing Okta from a browser on their computer.

First time authentication

The first time you sign in to Okta after your admin has configured Symantec VIP as a factor in Okta, you're prompted to set up Symantec VIP.

  1. Make sure you have installed the VIP Access app on your mobile device.

  2. In the web browser on your computer, sign in to your Okta org.

  3. Click Set up.

  4. On your mobile device, open the VIP Access app:

  5. In the web browser on your computer, enter the following information in the Set up Symantec VIP screen:
    • Credential ID (no spaces)
    • Security code 1. Enter a 6-digit code.
    • Security code 2. Enter the next 6-digit code. You must enter consecutive codes.
  6. Click Enroll.

Subsequent authentications

  1. In the web browser on your computer, enter your Okta username to sign in to your Okta org.

  2. Click Select for Symantec VIP.

  3. Enter your Okta password and click Verify.

  4. On your mobile device, open the VIP Access app to obtain a 6-digit security code.
  5. In the web browser on your computer, enter the security code in the Verify with Symantec VIP screen.
  6. Click Verify.

Known issue

Non-Okta Symantec VIP accounts are deactivated if users remove Symantec VIP from the Okta End-User Dashboard settings page

Given

  1. An end user enrolled in Symantec VIP in:

    • Their Okta org
    • – and –

    • One or more other apps or websites
  2. The end user removes their Okta+Symantec VIP enrollment through the End-User Dashboard > Settings page > Extra Verification dialog box.

Issue

The user isn’t only unenrolled from their Okta+Symantec VIP enrollment (as expected), but they’re also unenrolled from their other, non-Okta Symantec VIP enrollments.

Remedy

Advise affected end users that they need to re-enroll in their non-Okta+Symantec VIP enrollments.