This describes how to set up Foxpass to delegate password verification to Okta.
It's under "Admin", then "Directory", then "Add Person".
Add a user named "Foxpass"
Go to "Admin", then "Security", then "Administrators". Give the "Foxpass" user Read-Only Admin rights. If you would like to keep 2FA on for requests from Foxpass, give the user Group Admin rights instead.
Log into Okta as the Foxpass user we created in step 1. Generate an API key using the instructions from http://developer.okta.com/docs/api/getting_started/getting_a_token.
Go to the Foxpass 'Authentication Settings' page. Scroll down to "Password authentication delegation". Enable it, and choose Okta.
Enter your Okta site's URL and the API key you generated above.
Okta's two-factor is compatible with Foxpass's LDAP interface. If you plan to use Foxpass's Cloud RADIUS interfaces, then using 2FA is not recommended because users will be prompted to verify 2FA at least every hour, and possibly every time the user connects to a new access point.
To disable Okta's MFA you need to add our outbound IP addresses to be "in-zone" in Okta.
First, go to the Networks page under the Security header in the admin interface. Add our two special Okta endpoints to be in an IP zone:
Then, go to the Authentication section under the Security header and select the Sign On tab. Now, add an exemption to any two-factor policy the IP zone you used previously. You can do this by selecting your MFA rule and setting "IF User's IP is: Not In Zone" and selecting the zone you added Foxpass's IP's to. Then you're all good to go!