We have come across a problem in a few different Okta setups now where they have IWA configured. If the guest wifi network gets NATed through the same external IP as the internal network, then laptops will not be able to log into Okta. Mobile devices are fine becasue Okta can detact them and not redirect. Laptops on the internal wifi are fine as they can reach the IWA agents. The problem is for partners who are trying to reach Okta protected applications while on site and there for using the wifi.
I've had a couple of ideas on how to fix this but none of them are 100% desirable.
Change the NAT'd IP for the guest network to not match the internal network - This isn't always possible.
Have the DNS on the guest network direct https://desktopsso/iwa to another web server that redirects to https://company.okta.com/login/default - needs split DNS and a web server to maintain
Allow access from the guest network to the IWA server and add this change so they get a forms login page: https://support.okta.com/help/blogdetail?id=a67F0000000XZhfIAG - This is not always allowed by the network guys
Does anyone have any better ideas? I'm sure there are better ways of doing this.
Has there been any resolution to this? I have the same issue and article, https://support.okta.com/help/blogdetail?id=a67F0000000XZhfIAG, is fairly old and references some changes that should have been completed by now.
We have the exact same issue and so far do not have any good way to address this. We had to turn off desktop SSO because of issues with our guest networks. I wish Okta would give this issue more attention.
We have this problem too. Over 100 locations now need a different IP for our guest wifi - and some can only have one. I'd like to see the public DNS for our IWA server point back to Okta. A cookie could be dropped on the browser before redirect and if there when they end up back at Okta, it could tell them what's going on. (customer/destination, etc)
Adding to the thread. 100 sites, 100 internal LAN's that work great. 100 guest wifi's SSIDs that route out through the same Public IP. They cannot authenticate to the IWA and it times out. Maybe a timeout of 5 seconds, would say, I clearly can't connect to IWA, let's authenticate as off-net with MFA.