Integration Procedure

The following provides an overview of the integration steps to get started using FIDO Pre-reg with Okta and Okta Workflows.

Prerequisites

Ensure you have the following before starting the implementation procedure:

• Enterprise Plus plan subscription. For questions about Yubico subscription services, contact Yubico Support.
• Customer Portal access with FIDO Pre-reg enabled. This is provided by Yubico during onboarding of your organization.
• Customization IDs (CID), Product IDs, and Subscription IDs for the YubiKey models you will be shipping to end users. Provided by Yubico.
• A YubiEnterprise API token, see Generating an Authorization Token.
• An Okta Identity Engine (OIE) tenant with Adaptive MFA and Okta Workflows entitlements.
• For an understanding of the FIDO Pre-reg integration, see Workflow integration.
• For an overview of Okta’s recommended policies, see Require phishing-resistant authentication with pre-enrolled YubiKey (Okta documentation).
• In order for users to be able to authenticate with a security key, ensure that FIDO2 WebAuthn is enabled in your Okta tenant. In the Okta Admin Console, configure User verification to use the Preferred option as described in Add the FIDO2 (WebAuthn) authenticator section (Okta documentation).

Note

The FIDO Alliance recommends UV=Required. However, you will need to assess the impact of UV=Required based on your organization’s current settings, as it may impact users across operating systems and browser types if a PIN is not set. Preferred is an option, if you are concerned about blocking other users.

Integration Steps

The FIDO Pre-reg workflow template for Okta is flexible and you can request a pre-enrolled YubiKey using the following methods:

• MFA initiated - trigger shipments using Pre-enrolled authenticators in Okta Workflows console for an individual user.
• Group Add - trigger shipments using the Group Add flow in the Okta Workflows console (individual or multiple users). Lets you request shipments based on group membership.
• Batch requests - use the API to order YubiKeys for multiple users. For more information, see Order pre-enrolled YubiKeys in a batch (Okta documentation).

The following steps lets you set up the FIDO Pre-reg integration and create a first shipment of a pre-enrolled YubiKey:

1. Create user groups and configure Okta policies
2. Add the FIDO Pre-reg Workflow template
3. Configure the workflow connections
4. Create a shipment request

The sections in the following describe each step in detail.