2FA and Okta

  • 23 June 2022
  • 5 replies
  • 256 views

Userlevel 2
Badge +4

Hi all.

Just wanted to share here that although Okta is not officially supported we have been able to get it work for 2FA as a basic Other standalone time-based PIN.

 

We set 2FA against a group and then place users in one at a time.

 

I wrote a couple of docs about it if anyone would like the details.

 

 


5 replies

Userlevel 2
Badge +4

Hello.

 

Yes, you are correct.  We preferred this way as it doesn’t require a change to the organisational OKTA config.

We have break glass accounts with complex, protected passwords that we would use in the event of an issue with 2FA on our regular admin accounts.

Userlevel 7
Badge +19

This procedure above is not based on SAML but is the internal 2FA functionality that requires a PIN. For your information OKTA is based on SAML and Commvault supports SAML, so as long both parties keep on adhering to standard it will just work. We are using it ever since Commvault added support for SAML and we use it in reseller mode e.g. by sending the group in the SAML a users get's access to one or multiple tenants (companies) our administrative accounts leverage Commvault built-in 2FA just so we can still access the CommCell in case OKTA is down. 

Userlevel 2
Badge +4

Commvault 2FA Design

 

 

purpose of this document

This document describes the design of a Multi-Factor Authentication login process for the CBS Commcell.

 

abbreviation table

 

CV

Commvault

Commcell

The CV infrastructure and the clients it protects.

 

 

OverView

 

The Commcell uses internal local accounts and passwords for administrative login.  Enabling 2FA will add an additional level of security with a time-based PIN also required for login.

A mobile app will be used to provide this PIN, which is valid for 30 seconds until rollover.

It will utilise the existing Okta app, adding the Commcell login as a standalone, none-organisational entry, thus no login or user information is passed between the Commcell and the user device.

Minimal configuration is required for 2FA functionality.

Further information can be found here:

https://documentation.commvault.com/11.24/essential/107087_two_factor_authentication_for_your_commcell_environment.html

 

 

PreRequisites

 

The email facility will be disabled via a Commcell additional setting:

https://documentation.commvault.com/additionalsetting/details?name=%22DisableTFAEmail%22&id=10743

 

The Commserve Management server must have an authoritative time source that matches the time source of the mobile app device.  The current domain-joined management servers have this.

 

 

 

Detailed Design

 

Two-factor authentication is configured in the Commcell at group level.

A group “2FA” will be created and users moved individually into this group as 2FA is added for them.

2FA requires an initial input of the secret key to the user app and this can be done via QR code scan or manual entry via email.

To minimise the risk of this informational email being intercepted and used by an attacker, the email facility will be disabled.

A zoom session will be arranged with the user and the process will be as follows:

  • The user is placed in the 2FA group
  • The user attempts to login to the Commcell Command Center.
  • A QR code is displayed.  The user scans this into the Okta app using +, Other, Scan a QR Code
  • The app configures and a PIN is displayed.
  • The user logins to the Commcell Console with username, password pin (i.e. the pin is typed immediately after the password)

 

 

 

Userlevel 2
Badge +4

I can’t seem to attach so will try and paste in.  I have sanitised and removed a couple of screenshots showing details of my corporate VPN login on the OKTA but the rest was done on my test Commcell so not a problem.

Userlevel 7
Badge +23

Absolutely!  Want to share those here?  I can tag in our security teams to join in.

Reply