Okta API & MFA Demo

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
welcome today I'm going to be demonstrating multi-factor authentication with octa using the octa API so if you're interested in security multi-factor authentication and api's you're in the right place there are only two requirements for you to do this demo yourself and that is to have an octa organization which you can create at developer octo comm you can click on sign up over here and create your free developer account and you'll also need a tool called postman for making the API requests and you can get that at get postman comm now I've created my octa developer organization and I'm logged into it over here and the first thing you'll need to do after you set up your admin console is to come up here to developer console and switch to the classic UI that just gives us some more menu options which we'll be using in this demonstration so there's a little bit of setup in the octa admin console and then we're going to switch over to interacting with the API so first thing I'm going to do is come over to security and multi-factor and on the factor types tab I'm going to click Edit and I'm going to enable octa verify so we support a variety of factor types for this demonstration I'm going to be demonstrating octave verify which supports push notifications now I want to draw your attention over to the factor enrollment tab there's a default policy and eligible factors octave verify has already been selected automatically and it's set as optional so I'm going to leave that rule as is and the next thing we're going to look at is enforcement so we want to create a sign-on policy so that when people sign on they must use a second factor in this case octa verified so I'm going to choose security and authentication and I'm gonna click the sign on tab here and add a new octa sign-on policy so we'll call this API demo policy API demo policy description and we're going to assign it to the everyone group this is the built-in group and it's literally every user account that belongs to octa so I'm gonna create this policy and add a rule so we'll call this API demo rule and I'm gonna leave it as user's IP as anywhere so we could shape this and limit this rule to specific IP addresses we're not going to do this we're gonna leave it with any authentication type what we are going to do is click the prompt for factor and I'm gonna select every time meaning that every time a user authenticates they're required to provide a second factor and in this case it's going to be out to verify let me create that rule so now we've done everything that we need to do on the octa admin console side and we're going to switch over to postman now one thing about postman is we wanna I'm going to exit postman because what I want to show you is that from the Akhter developer site we have a set of postman collections that you can install directly into postman to work with the octa api so I clicked on the docs link I'm gonna scroll down a little bit and click on the getting started with the octa API link and you can see that we do a lot of postman to exercise the API what I want to bring you to is this collections quick reference and this is just a table of all the different postman collections that we have these are collections of requests to interact with the octa api the one that I'm going to grab right now is authentication and if I click the run and postman link I can then choose host man for Windows and I can tell it to open postman and that's why I exited postman to begin with because you need to click the open postman link in order for it to install that collection so now when postman launches you can see over here that I have an authentication collection with 40 requests that's the link that I just clicked on now before we start exercising these requests I'm going to set up an environment which is a nice feature of postman it allows us to set up environment variables so I click the gear icon and manage environments I'm going to add a new environment and we'll just call it API demo and I'm going to set up a few keys here which we'll use in our requests so the first one is username and that is the email address that I set up previously in my opt-in environment and I'm also gonna set a password I have a pretty simple password here and rest assured I've changed it before you're seeing this video I'm going to set up a few more URL is an important one and that is the unique URL of my octa organization so I'm just going to copy and paste this link here for URL and I don't want the end stuff I just want the base URL and I want to get rid of the - admin so this is the base URL for my octo organization let me set up a couple more environment variables which we're going to use in a little bit and I'll explain what they are when we get to them so one is called factor ID and the other is called state token I'm going to leave those blank for now okay so now the first thing I'm going to do is use the primary authentication endpoint and if you notice up here postman has a great feature to use placeholders from the environment now if I hover my mouse over URL you'll see that it's an variable and that's just because I need to select the environment that I just created so I set up the API demo environment now that I've selected it we can see that URL resolves to the variable that I set up if you look at the body for this primary authentication call we can see that it's passing in the username and password now if we didn't setup MFA enrollment we would just get back a status of success when we posted to this endpoint this authentic in this case because we set up MFA let's see authentication failed so that's a little bit of a demo monster I probably didn't set up my password correctly here so bear with me a sec I misspelled my own email address it looks like yes it's Micah at a fit nerd comm okay now that I've updated that environment variable I'm gonna click send and here we see the status that we get back is MFA enroll and the factor options that we have are push that sought to verify push factor type so now because it's optional I could continue on and not enroll but I am going to enroll so that we can demonstrate this in action so in the upper left I have an enroll folder in this authentication collection I'm going to expand that folder and I'm going to tell it that I want to enroll in octa verify push factor now let's see what the octave verify push back to require so it's going to use the same URL and in the body it's sending a state token and a factor type so the purpose of the state token is for when you have a multi step authentication process as we do in this case so we attempted primary authentication we got back a status of MFA enroll in order continue that enrollment we're going to need to set this state token so you'll notice one of the parts of the response that we got here right at the top is the state token and what I can do in postman is I can highlight that state token I can right click and then it has this nice nice feature where I can set one of the environment variables directly so I right-click I choose set API demo and state token so I already setup that environment variable now we're setting its value so I jump back over here to our enroll request I'm going to click send and now the response that we get back is NFA enroll activate and waiting and the state token is the same we're going to keep using that state token until we get to an end point in this authentication process so right now the factor results is waiting and that means that since this is an asynchronous factor type we have to pull to see when the user has finished their enrollment so if I come over here to the bottom of my collection you'll notice that I have a pole for factor enrollment request that pole for factor enrollment request it takes a factor ID and it uses the state token as well to see if the user has finished enrollment so over here on my response let me just open up this tab a little bit it's a little finicky here we go so over here in my response where I have the MFA enroll activate waiting I also have a factor ID and so now I'm going to use that unique factor ID I'm gonna set that in our environment and now over here in pole for factor enrollment in this request when I send it I can see that the status is still anything activate waiting so if you were writing an application you could use this endpoint to poll to see when the user had completed their activation okay so now jumping back to our in the response to our enroll request if I scroll down a little bit you'll see that we also get a QR code and this is used to program the the octave verify mobile application and so I'm gonna copy that QR code link and I am literally gonna paste it right into my browser and now what I'm going to do is I'm gonna launch the octave verify app on my mobile device now this is my real iPhone I'm mirroring its screen this isn't an emulator I'm gonna launch the octave verify mobile app and I'm gonna click on add an account I'm going to touch add an account and the first thing I need to do since this is the first time I'm launching yet is to allow camera access and push notifications so I'm gonna allow octa verify access to the camera and I'm going to allow push notifications so now this is the real camera of the phone and I'm gonna go and capture the QR code and now when I touch ID you can see that we've successfully enrolled in push authentication for Micah at a fit nerd so now that completes the enrollment side of things now let's go and look at what happens when I try to authenticate again because remember we created a sign-on policy that's now going to enforce that MFA requirement so I'm going to come back to primary authentication and I'm gonna send it this request once more and now if you notice the status that we get back is MFA required and now we have a brand new state token because once again this is a multi-step process and in this case of asynchronous so I'm going to right-click and I'm gonna set the state token once again because we're in a new flow and we have a new state token and so now it's MFA required if I come over here to verify I have a verify and pull push factor so when I choose that request notice that where it's going to be making the request is the same factor ID that hasn't changed and in the body it's going to be making use of the state token that's our new state token now if I send this request the state the status that we get back this time is MFA challenge waiting now this same endpoint is used for polling and so I can I can keep hitting send and I'll keep getting back that same status NFA challenge waiting until the user acknowledges the challenge in the octave verify app so this is the endpoint that you would use to both do the initial push and then to poll to see to when the user actually acknowledges that challenge now if I switch back to my device we can see that I've gotten a push notification and as soon as I click on the approve button it requests my touch ID I give it my thumbprint and now I've acknowledged I've successfully responded to the push authentication request and now that I've done that when I send this once more we can see that we finally arrived at a terminating point because our status is success so the authentication now has been successful and now notice I have a session token and I can use this session token to further interact with the octa API so we've come full circle now where we've enrolled in MFA and we've authenticated using MFA and we've done it completely using the API so hopefully you found this instructive and useful if this is interesting to you and you want to learn more about the octa API we have a great course called the octave platform for developers course it's a three day course and it goes into all of the detail of all of the aspects of the octa api and how you use it in your own development process you can check that out on octa comm we have a link to services and training and certification and this is hands-on training and from there you can find the course description and you can sign up for the course it's octave platform for developers hope to see you there I am one of the instructors that teaches the course and I look forward to seeing you in the course have a great day
Info
Channel: OktaDev
Views: 30,205
Rating: 4.9245281 out of 5
Keywords: mfa, multifactor, multifactor authentication, api, security, authentication
Id: EVL3gnt7BYo
Channel Id: undefined
Length: 16min 22sec (982 seconds)
Published: Mon Jan 29 2018
Related Videos
Okta Identity Management - SSO, MFA, and Password Reset
Network Consulting Services, inc.
17K
Okta vs Azure AD Identity Provider - The End-User Experience
Brian Cheatham
23K
OAuth 2.0 and OpenID Connect (in plain English)
OktaDev
1M
REST API concepts and examples
WebConcepts
5.4M
React Authentication App With Okta
Traversy Media
73K
An Illustrated Guide to OAuth and OpenID Connect
OktaDev
169K
Why You Should Turn On Two Factor Authentication
Tom Scott
1.5M
How to set up Okta SWA Integration, Configuration and Application Setup follow the Instructions
Iron Cove Solutions
11K
Billionaire Mathematician - Numberphile
Numberphile
3.3M
Enabling Single Sign On with Okta using SAML
YouAttest
12K
Okta Forum Chicago - APIs & Identity
Okta
1.7K
Oktane18: Okta Lifecycle Management Roadmap -- Conquering the Extended Enterprise
Okta
938
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.