Skip to main content
TOTP and Okta

TOTP token rollout / assignment in Okta via PowerShell

How do you enroll / deploy many TOTP (Time-based One-Time Password) tokens (in this case OTP C200 from Feitian) to Okta users?

It all starts with the general configuration of the Custom TOTP and a manual test with one token – just to see if everything works as expected. You can read here in a previous blog post how that is done: –> FEITIAN OTP c200 mit Okta nutzen

 


After that test was successful, you can prepare the PowerShell script. You have to add your API Key, Okta Org URL and Factor Profile ID.
You can find all the files needed over in this GitHub repo: https://github.com/TomTomNavigator/TOTP-Okta-PowerShell

The script was provided by Frank Zöchling from Frankys Web – thank you again!

Gabriel Sroka, also an Okta employee, ​was so nice to have a look at the script and cleaned some things up, you can find it as well in the Github Repo as “OktaTOTPEnrollmentV2.ps1”.
Note: You will have to install the unofficial PowerShell Okta wrapper if you want to give V2 a try: GitHub – gabrielsroka/OktaAPI.psm1: Call Okta API from PowerShell — unofficial code.

WARNING: Use the script(s) at your own risk! Never trust, always verify – you know the drill! 😉


The script expects an input file (an example CSV-file is included) with all the Token IDs and Shared Secrets (also known as Seeds) – you should get such a file from your vendor. The PS script will also write back the username and Okta user ID to the file as soon as the token has been assigned. This helps to keep track of remaining tokens and which token has been assigned to which user.

 


If all preparation is done, you can run the script.


 

As you can see, the script runs in a loop. To enter the Token ID a HID barcode scanner is recommended

 

Every Token has a barcode on the back – so no need to type it – just scan it and it is entered directly in the running PowerShell script.

You can check on the user object in Okta, if it was successful. You should see a OTP c200 there (the name is the one you chose).

 

 

 

 

Leave a Reply

Your email address will not be published.