Configure the Symantec VIP authenticator

Symantec Validation and ID Protection Service (VIP) is a cloud-based authentication service that enables secure access to networks and applications.

To enable this authenticator, you first obtain a certificate from the Symantec VIP Manager and then upload it to Okta. When Symantec VIP is enabled, Symantec VIP-registered users who select it when authenticating are prompted to enter a time-based passcode generated by the Symantec VIP app.

Before you begin

Gather and record the following information before you enable this authenticator or update the certificate:

  • An admin account in Symantec VIP Manager.

  • A certificate from Symantec VIP Manager in .p12 (PKCS#12) file format.

  • The password you entered when you obtained the certificate.

Enable Symantec VIP as an authenticator

  1. In the Admin Console, go to SecurityAuthenticators.
  2. On the Setup tab, click Add Authenticator.
  3. Click Add on the Symantec VIP tile.
  4. Click Browse and select the certificate that you obtained from Symantec VIP Manager.
  5. Enter the password that you used when you obtained the certificate from Symantec VIP Manager in the Your VIP Manager password field.
  6. Click Add.

Replace the Symantec VIP certificate through the Okta Admin Console

Perform these steps if you need to replace the certificate, such as before it expires. Certificates are typically valid for two years. The expiration date is shown in Certificate details on the Setup tab.

  1. Obtain a new certificate from Symantec VIP Manager.
  2. In the Admin Console, go to SecurityAuthenticators.
  3. On the Setup tab, find Symantec VIP and then click Actions > Edit.
  4. Click Replace certificate.
  5. Click Browse to select the certificate that you obtained from Symantec VIP Manager.

  6. Type the password that you used when you obtained the certificate from Symantec VIP Manager in the Your VIP Manager password field.

  7. Click Add.

Add Symantec VIP to an authentication enrollment policy

  1. In the Admin Console, go to SecurityAuthenticators.
  2. On the Enrollment tab, add a new authentication policy.
  3. Click Add Multifactor Policy.
  4. Enter a name.
  5. Assign the policy to groups.
  6. Select Optional or Required for Symantec VIP.
  7. Click Create Policy.
  8. Add rules to the policy. See Configure an authenticator enrollment policy rule.

    Edit an authentication enrollment policy

    1. In the Admin Console, go to SecurityAuthenticators.
    2. Select the Enrollment tab.
    3. Select the policy that you want to edit and click Edit.
    4. In Effective factors, set Symantec VIP to Optional or Required.
    5. Click Update Policy.

End-user experience

First-time authentication

The first time you sign in to Okta after your admin has configured Symantec VIP as an authenticator in Okta, you're prompted to set up Symantec VIP.

  1. Make sure you've installed the VIP Access app on your mobile device.
  2. In the web browser on your computer, sign in to your Okta org.
  3. Click Set up.
  4. On your mobile device, open the VIP Access app:
  5. In the web browser on your computer, enter the following information on the Set up Symantec VIP page:
    • Credential ID (no spaces)
    • Security code 1. Enter the six-digit code from the VIP Access app.
    • Security code 2. Enter the next six-digit code from the VIP Access app. Enter all codes in the same order as they appear in the app.
  6. Click Enroll.

Subsequent authentications

  1. In the web browser on your computer, enter your Okta username to sign in to your Okta org.
  2. Click Select for Symantec VIP.
  3. Enter your Okta password and click Verify.
  4. On your mobile device, open the VIP Access app to obtain a six-digit security code.
  5. In the web browser on your computer, enter the security code in the Enter security code field on the Verify with Symantec VIP page.
  6. Click Verify.

About rate limiting for OTP authenticators

To protect your sensitive corporate resources from unauthorized access, Okta enforces a rate limit on unsuccessful authentication attempts from your Okta-enrolled third-party OTP authenticators. A cumulative limit of five unsuccessful authentication attempts from the following authenticators is enforced over a rolling five-minute period:

  • Google Authenticator
  • Symantec VIP
  • YubiKey Authenticator

If unsuccessful authentications exceed the rate limit:

  • Authentication isn't allowed until the rate limit passes.
  • Okta returns HTTP status code 429, "too many requests".
  • A message appears on the user interface and is written to the System Log.

Known issue

Users are unenrolled from their other, non-Okta Symantec VIP enrollments when they remove their Okta-based enrollment from their Okta Settings page. If this happens, they need to re-enroll in their non-Okta-based Symantec VIP enrollments.