What are best practices where Okta MFA SSO interfaces with salesforce or Google IdP and Ad? Skip to main content
https://support.okta.com/help/answers?id=906f0000000xzdpiao&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Jordan ZootJordan Zoot 

What are best practices where Okta MFA SSO interfaces with salesforce or Google IdP and Ad?

A bit more background...seeking a best practices approach for iOS, Android, Win and OS X Desktops etc.

Network Topology:
Abizinabox.com

External 75.110.232.105 to .110
192.168.50/27, 192.168.51/27, 192.168.22/27
PDC DC-01 .55 Windows Server 2008R2
BDC APP-02 .57 Windows Server 2008R2
APPS 199.229.252.241 – OS X 10.10 – Open Directory Server

Okta Enterprise Multi-Factor SSO

Okta Universal Directory as ultimate IdP
Google Authenticator, SMS and Back-up Passwords
SAML Enabled Wherever available
Okta Active Directory Agent and LDAP Agents tied into office network

Google For Work

Two Factor Authentication
Google Authenticator, SMS, Application Passwords
Google MDM for iOS and Chrome
Google SAML set up as IdP with AWS IAM for control

Salesforce.com

Salesforce Set Up as IDP
SAML SSO 
Edward HollidayEdward Holliday (Okta, Inc.)
Jordan,

A lot of customers use the AD and LDAP Agents and Okta MFA to create an "Okta Sign On Policy" that enforces the use of MFA when employees are 'Off-network', for example when they are working at home.
This type of MFA use case can also be useful as a way of retiring a VPN solution, which you may have protecting external employee access to certain protected applications. You know you will be able to replace the VPN with Okta MFA if you have configured a SAML only partnership with the SAML capable application and Okta. In your case this can be done with Salesforce and Google in SAML mode.

Here is where you find this Security > Authentication > Multifactor
MFA

Some other customers still, will combine access to apps in Okta with integration (in order to invoke a VPN session) to their existing VPN using the Okta Radius Agent.

If you have a lot of mobile access to apps and you have an Okta mobile product you might also be defing an 'Okta Mobile' native app policy under Security > Policies > Mobile

mobile policy
Edward Holliday, Principal Technical Consultant, Okta