.. integration-procedure.rst


=====================================
Integration Procedure
=====================================

The following provides an overview of the integration steps to get started using Yubico FIDO Pre-reg with Okta and Okta Workflows.


.. _prerequisites:

Prerequisites
--------------

Ensure you have the following before starting the implementation procedure:

* `Enterprise Plus plan <https://docs.yubico.com/cloud-services/yubienterprise/delivery/Modes_of_Purchase.html#plans-and-features>`_   subscription. For questions about Yubico subscription services, contact `Yubico Support <https://www.yubico.com/products/yubikey-as-a-service/contact-support/?selectForm=I+need+help+with+YubiEnterprise+Delivery>`_.

* `YubiEnterprise Console <https://docs.yubico.com/cloud-services/yubienterprise/delivery/introduction.html>`_   access with FIDO Pre-reg enabled. This is provided by Yubico during onboarding of your organization.

* `Customization IDs (CID) <https://docs.yubico.com/cloud-services/yubienterprise/delivery/customizations.html>`_, Product IDs, and Subscription IDs for the YubiKey models you will be shipping to end users. Provided by Yubico. 

* A YubiEnterprise API token, see :ref:`connection-authorize`.

* An Okta Identity Engine (OIE) tenant with Adaptive MFA and Okta Workflows entitlements.

* For an understanding of the Yubico FIDO Pre-reg integration, see :ref:`workflow-integration`.

* For an overview of Okta’s recommended policies, see `Require phishing-resistant authentication with pre-enrolled YubiKey (Okta documentation) <https://help.okta.com/oie/en-us/content/topics/identity-engine/authenticators/onboard-with-preenrolled-yubikey.htm>`_.

* In order for users to be able to authenticate with a security key, ensure that FIDO2 WebAuthn is enabled in your Okta tenant. In the **Okta Admin Console**, configure **User verification** to use the **Preferred** option as described in `Add the FIDO2 (WebAuthn) authenticator section (Okta documentation) <https://help.okta.com/oie/en-us/content/topics/identity-engine/authenticators/configure-webauthn.htm>`_.

.. Note:: The FIDO Alliance recommends ``UV=Required``. However, you will need to assess the impact of ``UV=Required`` based on your organization’s current settings, as it may impact users across operating systems and browser types if a PIN is not set. ``Preferred`` is an option, if you are concerned about blocking other users.


.. _integration-steps:

Integration Steps
-------------------

The Yubico FIDO Pre-reg workflow template for Okta is flexible and you can request a pre-registered YubiKey using the following methods: 

* **MFA initiated** - trigger shipments using Pre-enrolled authenticators in Okta Workflows console (for an individual user).
* **Group Add** - trigger shipments using the Group Add flow in the Okta Workflows console (for an individual user or multiple users).
* **Batch requests** - use the API to order YubiKeys for multiple users. For more information, see `Order pre-enrolled YubiKeys in a batch (Okta documentation) <https://help.okta.com/oie/en-us/content/topics/identity-engine/authenticators/pr-order-yubikeys.htm>`_.

The following steps lets you set up the Yubico FIDO Pre-reg integration and create a first shipment of a pre-registered YubiKey:

1. :ref:`Create user groups and configure Okta policies <config-policies>`
2. :ref:`Add the Yubico FIDO Pre-reg Workflow template <template-install>` 
3. :ref:`Configure the workflow connections <configure-workflow-connect>` 
4. :ref:`Create a shipment request <create-shipment>` 

The sections in the following describe each step in detail.