Hi, I am curious if it is feasible to expose the IWA server to the web so that remote domain joined clients can use SSO when accessing VPN. It's very annoying to have a user log into their laptop w/ cache credentials, and then have to re-enter those same credentials for Okta during VPN initialization. It would be ideal if the SSO works at this stage, and that we layer 2FA on top of the VPN via Okta push or something like that....
A current workaround we are working on is pre-login VPN, but this is extremely clunky and proving to be a challenge.
Having a SSO solution that requires access to a specific server in back office seems unfeasible to me. I must be misunderstanding something...?
Thanks for reaching out to the Support Community today! While IWA Agent is designed to work primarily for users that are accessing the web from on-network devices, it is possible (though not recommended) to open the IWA server to the web to allow off-network devices. This would entail adding the IP addresses in the trusted network zone in Okta as well opening the external traffic on your network's firewall. Under these conditions, the previous off-network, domain-joined machine is now considered on-network and Desktop SSO will be enforced.
As for 2FA, MFA enrollment policies can be defined under Security >> Multifactor, and MFA Sign-On Policies for RADIUS authentication can be further defined under Security >> Authentication >> Sign On tab. Reference link: https://help.okta.com/en/prod/Content/Topics/Security/MFA.htm
Alternatively, MFA Sign-On policies for Radius authentication can now also be defined using the Radius App (access to the Radius App would need to be requested to and enabled by Support). Reference link: https://help.okta.com/en/prod/Content/Topics/Security/Okta_Radius_App.htm
If you have any further questions that may be specific to your environment, I would defintely recommend opening a new case with Support for further guidance, otherwise, feel free to pose any additional questions here.
Aleks Bulajic Technical Support Engineer Okta Global Customer Care
Excellent, thanks. I might open a ticket, but curious if there's any way to have this cache the user for a given time period. It might be a good compromise rather than trying to get SSO to work, we could prompt for password fewer times if Okta would just recognize the user somehow.
So far, this is reset upon reboot even when you check "remember me". If it allows them to save creds for at least a week or so that would be awesome. We have so many factors (push, certs etc), that we are trying to actually bypass this step to save the user from some annoyance :)