Configure the Symantec VIP authenticator
Symantec Validation and ID Protection Service (VIP) is a device-bound possession factor and verifies user presence. It's a cloud-based authentication service that allows users to sign in by entering a time-based passcode generated by the Symantec VIP app.
Before you begin
You need the following to configure the Symantec VIP authenticator in Okta:
- Admin account in Symantec VIP Manager
- VIP certificate from Symantec VIP Manager in .p12 (PKCS#12) file format
- VIP Manager password you used to obtain the certificate
Add the Symantec VIP authenticator
-
In the Admin Console, go to .
-
On the Setup tab, click Add Authenticator.
- Click Add on the Symantec VIP tile.
- Upload the VIP certificate.
- Enter your VIP Manager password.
-
Click Add. The authenticator appears in the list on the Setup tab.
Add the Symantec VIP authenticator to the authenticator enrollment policy
In Authenticators, go to the Enrollment tab to add the authenticator to a new or an existing authenticator enrollment policy. See Create an authenticator enrollment policy.
Edit or delete the Symantec VIP authenticator
Before you edit or delete the authenticator, you may have to update existing policies that use this authenticator.
- In Authenticators, go to the Setup tab.
- Open the Actions dropdown menu beside the authenticator, and then select Edit or Delete.
Replace the VIP certificate
An expired or revoked VIP certificate may lead to VIP authentication failures. Therefore, you need to replace the VIP certificate before it expires or if it's revoked. The certificate is typically valid for two years. You can see the certificate expiration date on the Setup tab.
To replace the certificate follow these steps:
- Open the Actions dropdown menu beside the authenticator, and then select Edit.
- Click Replace certificate and upload the new certificate.
- Enter the password that you used when you obtained the certificate from Symantec VIP Manager.
- Click Add.
End-user experience
End users install the VIP Access app on their mobile device. During the first sign-in, they're prompted to set up the Symantec VIP authenticator. The end user follows instructions for the Okta sign-in process and in the VIP Access app. For subsequent sign-ins, they enter the time-based passcode generated by the VIP Access app on their mobile device and continue with the sign-in process.
Users are unenrolled from their other, non-Okta Symantec VIP enrollments when they remove their Okta-based enrollment from their Okta Settings page. They then need to re-enroll in their non-Okta-based Symantec VIP enrollments.
Okta enforces a rate limit on unsuccessful authentication attempts from Okta-enrolled third-party OTP authenticators. These authenticators include Google Authenticator, Symantec VIP, and YubiKey OTP. The rate limit is a total of five unsuccessful attempts from any or all of these authenticators within a rolling five-minute period. When a user exceeds the rate limit, they can't sign in until the rate limit passes. These attempts are registered in the System Log.