Common Desktop SSO URL Rewrite Rules Skip to main content
https://support.okta.com/help/oktaarticledetailpage?childcateg=&id=ka02a000000bnjasai&source=documentation&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fdocumentation%2fknowledge_article%2fcommon-desktop-sso-url-rewrite-rules
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Average Rating:
Common Desktop SSO URL Rewrite Rules
Published: Jun 29, 2017   -   Updated: Jul 10, 2017
This document contains examples of common IIS Rewrite rules that allow Desktop SSO to be skipped by specific browsers or operating systems.  For more information, please refer to the "Skipping IWA authentication for specified clients" section here.

Skip IWA SSO for IP Range:
        <rule name="Skip IWA SSO on Windows" stopProcessing="true">
          <match url="^$" />
          <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
            <add input="{REMOTE_ADDR}" pattern="xxx\.xxx\.xxx\.[x-x]" />
          </conditions>
          <action type="Rewrite" url="iwa.aspx?action=okta" />
        </rule>

Note: substitute your IP address or range in the <add input> line.

Skip IWA SSO for OS X:
        <rule name="Skip IWA SSO on OS X" stopProcessing="true">
          <match url="^$" />
          <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
            <add input="{HTTP_USER_AGENT}" pattern="Mac OS X" />
          </conditions>
          <action type="Rewrite" url="iwa.aspx?action=okta" />
        </rule>
 
Skip IWA SSO for Windows:
        <rule name="Skip IWA SSO on Windows" stopProcessing="true">
          <match url="^$" />
          <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
            <add input="{HTTP_USER_AGENT}" pattern="Windows" />
          </conditions>
          <action type="Rewrite" url="iwa.aspx?action=okta" />
        </rule>
 
Skip IWA SSO on all Chrome browsers:
 
Pattern for specific browsers:
.*IE
.*Chrome
.*Firefox
.*Safari
.*Edge
 
        <rule name="Skip IWA SSO on Chrome" stopProcessing="true">
          <match url="^$" />
          <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
            <add input="{HTTP_USER_AGENT}" pattern="\.*Chrome" />                                         
          </conditions>
          <action type="Rewrite" url="iwa.aspx?action=okta" />
        </rule>
     
Skip IWA SSO for specific clients on Windows or OS X:
 
Note: If you want more than one client to ignore the IWA SSO, a different rule must be added for each client. Also, each rule must have a different name.
 
<rewrite>
  <rules>
    <clear />
      <rule name="Skip IWA SSO on Windows Firefox" stopProcessing="true">
           <match url="^$" />
           <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
                 <add input="{HTTP_USER_AGENT}" pattern="Windows.*Firefox" />                                    
            </conditions>
          <action type="Rewrite" url="iwa.aspx?action=okta" />
       </rule>
 
       <rule name="Skip IWA SSO on Windows Chrome" stopProcessing="true">
          <match url="^$" />
          <conditions logicalGrouping="MatchAll" trackAllCaptures="false">           
                                                <add input="{HTTP_USER_AGENT}" pattern="Windows.*Chrome" />
          </conditions>
          <action type="Rewrite" url="iwa.aspx?action=okta" />
        </rule>
 
       <rule name="Skip IWA SSO on Mac OS X Chrome" stopProcessing="true">
          <match url="^$" />
          <conditions logicalGrouping="MatchAll" trackAllCaptures="false">           
                                                <add input="{HTTP_USER_AGENT}" pattern="Mac OS X.*Chrome" />
          </conditions>
          <action type="Rewrite" url="iwa.aspx?action=okta" />
        </rule>
 
      </rules>
    </rewrite>
 
 
Skip IWA SSO for all clients on OS X and the Firefox client on Windows:
 
<rewrite>
  <rules>
    <clear />
        <rule name="Skip IWA SSO on OS X" stopProcessing="true">
          <match url="^$" />
          <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
            <add input="{HTTP_USER_AGENT}" pattern="Mac OS X" />
          </conditions>
          <action type="Rewrite" url="iwa.aspx?action=okta" />
        </rule>
 
      <rule name="Skip IWA SSO on Windows Firefox" stopProcessing="true">
           <match url="^$" />
           <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
                 <add input="{HTTP_USER_AGENT}" pattern="Windows.*Firefox" />                                    
            </conditions>
          <action type="Rewrite" url="iwa.aspx?action=okta" />
       </rule>
      </rules>
    </rewrite>
  
Allow only on specific clients and OS:
 
<rule name="Allow the users to choose the authentication flow" stopProcessing="true">
          <match url="^$" />
                <conditions logicalGrouping="MatchAll" trackAllCaptures="false">           
                     <add input="{HTTP_USER_AGENT}" pattern="Windows.*Chrome" />
               </conditions>
          <action type="Rewrite" url="iwa.aspx?action=menu" />
   </rule>
 
 
 

Post a Comment