Configure Symantec VIP authenticator

Symantec Validation and ID Protection Service (VIP) is a cloud-based authentication service that enables secure access to networks and applications. You can add Symantec VIP as a multifactor authentication (MFA) option in Okta. To enable Symantec VIP for multifactor authentication, you first obtain a certificate from the Symantec VIP Manager and then upload it to Okta. When Symantec VIP is enabled, Symantec VIP-registered users who select it when authenticating are prompted to enter a time-based passcode generated by the Symantec VIP app.

Before you begin

Ensure you have the following before you enable this authenticator or update the certificate:

  • An admin account in Symantec VIP Manager.

  • A certificate from Symantec VIP Manager in .p12 (PKCS#12) file format.

  • The password you entered when you obtained the certificate.

Enable Symantec VIP as an authenticator

  1. In the Admin Console, go to Security > Authenticators.
  2. On the Setup tab, click Add Authenticator.
  3. Click Add on the Symantec VIP tile.
  4. Click Browse and select the certificate that you obtained from Symantec VIP Manager.
  5. Type the password that you used when you obtained the certificate from Symantec VIP Manager in the Your VIP Manager password field.
  6. Click Add.

Replace the Symantec VIP certificate through the Okta Admin Console

Perform these steps if you need to replace the certificate, such as before it expires. Certificates are typically valid for two years. The expiration date is shown in Certificate details on the Setup tab.

  1. Obtain a new certificate from Symantec VIP Manager.
  2. In the Admin Console, go to Security > Authenticators.
  3. On the Setup tab, find Symantec VIP and then click Actions > Edit.
  4. Click Replace certificate.
  5. Click Browse to select the certificate that you obtained from Symantec VIP Manager.
  6. Type the password that you used when you obtained the certificate from Symantec VIP Manager in the Your VIP Manager password field.

  7. Click Add.

Add Symantec VIP to an MFA enrollment policy

  1. In the Admin Console, go to Security > Authenticators.
  2. On the Enrollment tab, add a new or edit an existing multifactor policy.

    Add a policy:

    1. Click Add Multifactor Policy.
    2. Enter a name.
    3. Assign this policy to groups.
    4. Set Symantec VIP to Optional or Required.
    5. Click Create Policy.

    Edit a policy:

    1. Select the policy you want to edit and click Edit.
    2. In Effective factors, set Symantec VIP to Optional or Required.
    3. Click Update Policy.
  1. To add one or more rules to the policy, see Configure an authentication enrollment policy rule.

End-user experience

First time authentication

The first time you sign in to Okta after your admin has configured Symantec VIP as an authenticator in Okta, you're prompted to set up Symantec VIP.

  1. Make sure you have installed the VIP Access app on your mobile device.

  2. In the web browser on your computer, sign in to your Okta org.

  3. Click Set up.

  4. On your mobile device, open the VIP Access app:

  5. In the web browser on your computer, enter the following information on the Set up Symantec VIP screen:
    • Credential ID (no spaces)
    • Security code 1. Enter the six-digit code from the VIP Access app.
    • Security code 2. Enter the next six-digit code from the VIP Access app. You must enter consecutive codes.
  6. Click Enroll.

Subsequent authentications

  1. In the web browser on your computer, enter your Okta username to sign in to your Okta org.

  2. Click Select for Symantec VIP.

  3. Enter your Okta password and click Verify.

  4. On your mobile device, open the VIP Access app to obtain a six-digit security code.
  5. In the web browser on your computer, enter the security code in the Enter security code field on the Verify with Symantec VIP screen.
  6. Click Verify.

About rate limiting for OTP authenticators

To protect your sensitive corporate resources from unauthorized access, Okta enforces a rate limit on unsuccessful authentication attempts from your Okta-enrolled third-party OTP authenticators. A cumulative limit of five unsuccessful authentication attempts from the following authenticators is enforced over a rolling five-minute period:

  • Google Authenticator

  • Symantec VIP

  • YubiKey Authenticator

If unsuccessful authentications exceed the rate limit:

  • Authentication isn't allowed until the rate limit passes.

  • Okta returns HTTP status code 429, "too many requests".

  • A message appears on the user interface and is written to the System Log.

Known issue

Non-Okta-based Symantec VIP accounts are deactivated if users remove Symantec VIP from the Okta End-User Dashboard settings page

Given:

  1. An end user enrolled in Symantec VIP in:

    • Their Okta org
    • – and –

    • One or more other apps or websites
  2. The end user removes their Okta-based Symantec VIP enrollment through the End-User Dashboard > Settings page > Extra Verification dialog.

Issue:

The user isn't only unenrolled from their Okta-based Symantec VIP enrollment (as expected), they are also unenrolled from their other, non-Okta-based Symantec VIP enrollments.

Remedy:

Advise affected end users that they need to re-enroll in their non-Okta-based Symantec VIP enrollments.