What are best practices where Okta MFA SSO interfaces with salesforce or Google IdP and Ad?
A bit more background...seeking a best practices approach for iOS, Android, Win and OS X Desktops etc.
Network Topology: Abizinabox.com
External 22.214.171.124 to .110 192.168.50/27, 192.168.51/27, 192.168.22/27 PDC DC-01 .55 Windows Server 2008R2 BDC APP-02 .57 Windows Server 2008R2 APPS 126.96.36.199 – OS X 10.10 – Open Directory Server
Okta Enterprise Multi-Factor SSO
Okta Universal Directory as ultimate IdP Google Authenticator, SMS and Back-up Passwords SAML Enabled Wherever available Okta Active Directory Agent and LDAP Agents tied into office network
Google For Work
Two Factor Authentication Google Authenticator, SMS, Application Passwords Google MDM for iOS and Chrome Google SAML set up as IdP with AWS IAM for control
A lot of customers use the AD and LDAP Agents and Okta MFA to create an "Okta Sign On Policy" that enforces the use of MFA when employees are 'Off-network', for example when they are working at home. This type of MFA use case can also be useful as a way of retiring a VPN solution, which you may have protecting external employee access to certain protected applications. You know you will be able to replace the VPN with Okta MFA if you have configured a SAML only partnership with the SAML capable application and Okta. In your case this can be done with Salesforce and Google in SAML mode.
Here is where you find this Security > Authentication > Multifactor
Some other customers still, will combine access to apps in Okta with integration (in order to invoke a VPN session) to their existing VPN using the Okta Radius Agent.
If you have a lot of mobile access to apps and you have an Okta mobile product you might also be defing an 'Okta Mobile' native app policy under Security > Policies > Mobile
Edward Holliday, Principal Technical Consultant, Okta