MFA issue Skip to main content
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Greg HowleyGreg Howley 

MFA issue

We have a partner company that we provide some services for (mail, desktop, etc).
We are also rolling out MFA to google apps using RSA as the second factor.  The MFA is setup to only enforce off prem.
Users in the partner company should not get MFA enforced when they are on their network.  If I add their gateway IP addresses to the Network definition, they get errors because they can't resolve the sync server in our network.
Is there a way to resolve this within Okta or do I have to get the two network teams to work out a trust model?
Mihai BalasaMihai Balasa (Okta, Inc.)

Unfortunately Okta does not have control over how the IPs are resolved.
You could check whether enabling the 'Obey X-Forwarded-For header for specified Public Gateway IPs' option solves the issue (this option can be found under Security>Network).

However, there is the workaround to add the affected users (from the partner company) in a separate group and then target app sign-on rules to it - in order to exempt them from the MFA prompt. It will however beat the purpose of targeting them as being on network.

Thank you,
Mihai Balasa
Okta Tier 2 Support

Greg HowleyGreg Howley
That workaround will negate MFA for the group entirely, correct?  
Greg HowleyGreg Howley
Turns out the issue was actually with IWA.  Putting the partner's gateway IPs in a separate zone, then defining the IWA for our own IP zone solves the sync server issue.  MFA is enabled for all "on prem" zones, enforced with rules in any app requiring MFA.