Accessing VDI Off Campus Now Requires Okta MFA

Summary

Horizon View has been updated to require Okta MFA when accessing virtual desktops from off campus. This article shows the recent changes to the user experience and what users can expect when accessing from off campus networks.

Body

On April 17th 2024, Okta MFA was added to the configuration of the edge appliances of the Horizon solution.  This achieves the University's objective of securing access to applications and services from publicly accessible IP's in regards to remote access to virtual desktops.  Access to virtual desktops on campus networks does not require 2 factor authentication.

When accessing VDI from off campus users can expect the following.  Whether html access via the portal is used or the Horizon Client, the experience is almost the same

1.  Users may notice a slight change to the dialog prompt - 'Enter your RADIUS username and passcode' - This simply equates to enter your SMU Username and Password shown below:

Web Client:

 

Horizon Client:

Simply enter your username and password as you do for other SMU SSO enabled applications.

After entering your credentials you should receive a push notification to your Okta Verify application on your registered device.

You may see this screen first and you can enter the appropriate #.

Uploaded Image (Thumbnail)

Push notification and Authentication Code through the Okta Verify app are the preferred authentication methods as SMS is soon to be deprecated and is less secure.

The push notification should be noted as it contains some possibly unexpected attributes. 

To avoid confusion these are explained - See screen shot below:

1.  VMWare Horizon View (RADIUS) is the application authenticating your credentials from Okta - This is expected

2. Location - Near Richmond CA, United States. You may not be located near Richmond CA when you are logging in and under normal circumstances this might be a consideration as to whether this is a legit login.  However in this case this is expected.  The reason for this is that it is the Radius server agent that is passing          your authentication attempt to Okta and not your device directly.  This server agent is located in SMU's Oakland data center so Okta correctly geo-locates the IP as being near Richmond, CA.  This is expected.

Details

Details

Article ID: 19224
Created
Thu 4/18/24 5:29 PM
Modified
Tue 7/30/24 6:19 PM