Deploying multiple Okta Integrated Web Authentication (IWA) Web Agents across various servers provides redundancy, load balancing, and scalability for on-premises Desktop Single Sign-On (DSSO).

The Okta IWA Web Agent is a lightweight Internet Information Services (IIS) web application that allows seamless on-premises DSSO into Okta and Okta-secured applications from a domain-joined Windows PC in an organization's network. This authentication requires enabling Delegated Authentication (DelAuth) in the Active Directory (AD) domain integration settings in Okta.

When a user accesses Okta or an Okta-secured application, Okta redirects the DelAuth request to the Okta IWA Web Agent on a domain-joined member server. The agent automatically sends the Windows active session credentials of the user to AD for authentication. Upon successful authentication, the agent sends the response to Okta to continue the application authentication policy evaluation.

Review the following diagram to understand the authentication flow between the user, Okta, the IWA Web Agent, and Active Directory.

• Okta Classic Engine
• Directories
• Okta Integrated Web Authentication (IWA) Web Agent

What are the benefits of deploying multiple Okta IWA Web Agents?

Deploying multiple Okta IWA Web Agents across various servers offers significant advantages. Review the following key benefits.

• Redundancy and High Availability: Deploying multiple Okta IWA Web Agents ensures high availability. If a single IWA Web Agent or the hosting server fails, or if an agent encounters an issue, all authentication stops, locking users out of applications and services.
• Load Balancing: Deploying multiple Okta IWA Web Agents allows for load balancing. In scenarios where numerous users continuously authenticate, a single IWA Web Agent can become overwhelmed, resulting in slower authentication times, timeouts, or errors.
• Geographic Distribution: In distributed or global environments, deploying multiple IWA Web Agents across servers in different geographic locations improves performance by reducing latency.
• Failover Capability: Multiple deployed IWA Web Agents allow the system to fail over from one agent to another if the primary agent fails or becomes unreachable. This automatic failover capability results in zero downtime and requires no manual intervention, ensuring continuous service availability.
• Scalability: As authentication requests increase, deploying multiple Okta IWA Web Agents across servers enables the authentication infrastructure to scale, managing increased load efficiently while maintaining performance.

What considerations apply when using Okta IWA Web Agents?

Review the following considerations regarding Okta IWA Web Agent deployments.

• Okta IWA DSSO is only available in the Okta Classic Engine. The Okta Identity Engine (OIE) does not support IWA DSSO.
• Okta has deprecated IWA DSSO in favor of Agentless DSSO (ADSSO), which eliminates the burden of using an IWA Web Agent. ADSSO is available in both Okta Classic Engine and OIE.
• If administrators configure both ADSSO and IWA DSSO in an Okta Classic Engine environment, Okta uses IWA as a failover to ADSSO. If IWA also fails, Okta fails over to the Okta default login.
• IWA is not available in OIE. If ADSSO fails, Okta fails over to the Okta default login.

Related References

• Learn about the Okta IWA Web agent
• Configure failover for the Okta IWA Web agent
• Access the Okta Admin Console Login Page When the Default Application for Sign-In Widget Is Active