I am using a global redirect URL, and forcing the users in the disparte directory to their own IWA server via DNS. The /iwa/authenticated.aspx page says they are authenticating succesfully. When they attempt to auth via IWA, they are directed to the IWA server, and then redirected to the /login/default page. I'm not seeing much in the logs that explains why they are sent back to the form rather than logged in.
Is the users Public Gateway IP value enabled on the Okta allowed network IP ranges. First get the user to go to a web address of say http://www.whatsmyip.org/ to find the public gateway IP for the site.
Then you will need to add that displayed IP address. To do this, go to the Okta Admin Console, select “Security”, “Network” and add any missing IP address that’s are not already in the list. Once added the user should be automatically logged into to Okta (rather than having to type in their AD username and password manually) and not be sent to the /login/default page.
Hi Kevin - yes, I added their gateway IP to the network definition in Okta. Like I said, when they browse to my Okta org they are redirected to their IWA app, so that part is working. The IWA app is redirecting their users back to /login/default rather than logging them in.
I'm guessing then that something is not right in the configuration with the browser maybe as the user shgould net get passed on to the IWA URL. Have you made the changes to the local intranet settings to send on the Kerberos credentials to the IIS webserver? If you've not seen the details here's the link to the support page https://support.okta.com/help/articles/Knowledge_Article/28101616-Configuring-Desktop-SSO. Sorry if you've performed these steps and I'm covering old ground here. If you have and still have problems, it's best maybe to open up a support ticket to walk through the problem.
No problem, thanks for the input. I have added their IWA site to their IE "intranet zone". The \iwa\authenticated.aspx page is successfully authenticating their users; so I think that means that IE is set up correctly?
I have opened a support case; i'll report back if we figure this out.