We have several Microsoft RD Web Access Serers in our company. These Microsoft RD Web Access Servers provide a web based login page where users have to provide their domain username and password to access published applications. For those who are familier with Microsoft RD Web Access, is there any information or guidance on setting OKTA up to access these RD Web Access sites? We would like to add our RD Web Access sites to our OKTA environment to take advantage of SSO.
Any guidance on how to do this or best practices for this would be appreciated.
I would strongly suggest you work with Professional Services to do this. You'll need to use Windows Identity Foundation (WIF), modify the config for the C2WTS service so you can enable it, and then you'll need to create a WS-Fed template app in Okta.
I don't know that we have documentation on this process as it is somewhat complicated and somewhat specific to your environment.
I appreciate the quick response and will definitly do that.
Let me ask you this, my first thought was to look in the Okta Application Network. Not seeing anything there, my next thought was to use the Applicatin Integration Wizard to create a Secure Web Access process. (I ruled out SAML since it was internal and we do not have SAML experts in house). I did not think to contact Professional Services.
What is the best practice for deciding on a method to use for setting up an application for Single Sign-On if the application is not in the Okta Application Network? Should one proceed with the Application Integration Wizard or reach out to OKTA for advice (like in this case)?
Also, if SAML 2.0 is not available, should that raise a concern? Is the Secure Web Access method considered an less secure process? Would attempting to use SWA for RD Web Access be a risky choice?
Secure Web Authentication is a viable alternative to the provided solution. Although less secure as WS-FED and SAML, forms based authentication will still provide a desirable SSO experience. Okta offers many SWA apps where SAML and WS-FED aren't supported.
Darron, I was able to set RD Web Acces up using the SWA method with Okta plug-in. However, for this to work, the user must click the "refresh" page a few times to trigger the plug-in to populate the credentials. I tested this with Yahoo mail as a secondary test. Yahoo mail worked as expected every single time. Is there something about Microsoft RD Web Access that would require the user to refresh the page a couple times to get things to work?
With SWA apps and the different flavors of browsers, browser security settings, add-ons, extensions, etc, this is common behavior and one of the reasons why SAML is so much more desireable. Might I suggest adjusting security settings within the browser to see if you can acquire a better experience?
We worked with the Okta Support team to get ours set up properly. We can go to RDS site and it will log the user in. It just works. However, if the user needs a username/password for any of their programs within RDS, they will have to type in their password for that. Okta doesn't do dual layer auth.