Swap On-Prem MFA/RSA SecurID

Before swapping you must have previously configured either:

  • RSA SecurID or On-Prem MFA

When Swapping an On-Prem MFA or RSASecurID authenticator you will be prompted to disable the existing authenticator, if still enabled.

Configure replacement authenticator

  1. In a browser, navigate to your Okta Org and sign in as an administrator.
  2. Click Security > Authenticators.
  3. From the Add Authenticator dialog, select either RSA SecurID or On-Prem MFA.

Once added, some Authenticators may be further configured from the list of added Authenticators by clicking Actions > Edit.
See also About MFA authenticators.

When configuring a replacement authentication, note that all configuration, with the exception of shared secret, is copied forward to the new authenticator.

Configure On-prem MFA replacement

  1. Enter the following fields:
    • Provider name: This is the name that appears to end users during their login challenge.
    • Username format: Select the format expected by the provider.
    • Hostname: The server host name or IP address.
    • Authentication Port: The RADIUS server port (for example 1812).
      This is defined when the On-Prem RADIUS server is configured.
    • Shared Secret: An authentication key that must be defined when the RADIUS server is configured, and must be the same on both the RADIUS client and server.
  2. Click Add.
  3. Click Add New Agent. Note the value of the instance ID. You're also provided with a download link for the On-prem MFA agent installer.
  4. Activate or Deactivate the authenticator as required.
  5. Click Save.

Configure RSA SecurID replacement

  1. Enter the following fields:
    • Username format: Select the format expected by the provider.
    • Hostname: The server host name or IP address.
    • Authentication Port: The RADIUS server port (for example, 1812). This is defined when the On-Prem RADIUS server is configured.
    • Shared Secret: An authentication key that must be defined when the RADIUS server is configured, and must be the same on both the RADIUS client and server.
  2. Click Add New Agent. Note the value of the instance ID. You're also provided a download link for the agent installer.
  3. Activate or Deactivate as required.
  4. Click Save.