Need only 1 app to authenticate users bypassing desktop sso Skip to main content
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Carl MillerCarl Miller 

Need only 1 app to authenticate users bypassing desktop sso

I have one app that management has asked if this app can prompt for credentials (bypassing desktop sso) on every login for this specific app, how can this be acheived?
Jim KnutsonJim Knutson (Okta, Inc.)
You could create a bookmark application to just gue users to a login page. I am not sure on the use case but If additioanl security is the goal, I would advise  using Multi Factor Authentication for this app, Where users would need to satisify an additional requiremernt of an MFA Policy to access the app. 
Carl MillerCarl Miller
Thank you for the response Jim.  I think I left out a few details that were obviously important.  The app only supports IDP initated flow, so if it were to redirect them to the login page, it would bypass sso all together.  We want users to be prompted for their active directory credentials every time they login to this specific app, and not the application credentials, much like it would work if we didn't have desktop SSO setup.  Hopefully that sheds some more light into the challenge I'm trying to resolve.
Jatin VaidyaJatin Vaidya
Hi Carl,

URL rewrite rules on IIS for Okta IWA webapp could help you.

You can find some sample rewrite rules in your web.config:

From Okta DSSO guide:

To attempt IWA authentication for specified clients, configure this action:
action type="Rewrite" url="iwa.aspx?action=iwa"

To skip IWA authentication for specified clients and redirect users to the Okta Sign-In page, configure this action:
action type="Rewrite" url="iwa.aspx?action=okta"

Carl MillerCarl Miller

Thank you so much for this, I will work on this and update the string if I have success.
Preston BarkerPreston Barker
We want to do something similar but only allow SSO for installed outlook, skype 4 business, and onedrive. What did you find out Carl?
Carl MillerCarl Miller
to get it to work for just 1 app, I used the sign on rules, as I could never get the IWA above action to work.  It seemed to satisfy the use case requirement I had at the time.  I forced a reauthentication after XX minutes applied to all zones.