<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Using Multiple Okta IWA Web Agents
Mar 14, 2025
Single Sign-On
Integrations
Okta Classic Engine
Directories
Overview

The Okta Integrated Web Authentication (IWA) Web Agent is a lightweight Internet Information Services (IIS) web app that allows seamless on-premise Desktop Single Sign On (DSSO) into Okta and Okta-secured applications from a domain-joined Windows PC in an organization's network. This type of authentication requires Delegated Authentication (DelAuth) to be enabled and active in the AD domain integration settings in Okta.

 

When a user accesses Okta or an Okta-secured application, Okta redirects the DelAuth request to the Okta IWA Web Agent on a domain-joined member server. The Agent automatically sends a user's Windows active session credentials to AD for authentication. Upon successful authentication, the agent sends the response to Okta to continue the application's authentication policy evaluation.

 

Authentication Flow

Applies To
  • Directories
  • Okta IWA Web Agent (IWA)
  • Okta Classic Engine
Solution

Deploying multiple Okta IWA Agents across various servers offers significant advantages to an organization. Here's a look at some of the key benefits:

 

Redundancy and High Availability

  • One of the most compelling reasons to deploy multiple Okta IWA agents is to ensure high availability (HA). If only a single IWA agent and the server hosting it fails, or if the agent itself encounters a problem, all authentication would stop, effectively locking users out of the applications and services they need to access.

 

Load Balancing

  • Deploying multiple Okta IWA agents allows for load balancing. In scenarios where numerous users are continuously authenticating, a single IWA agent could become overwhelmed, resulting in slower authentication times and potentially even timeouts or errors.

 

Geographic Distribution

  • For organizations with a distributed or global presence, having multiple IWA agents deployed on servers in different geographical locations can improve performance by reducing latency. 

 

Failover Capability

  • With multiple IWA agents deployed, the system can failover from one agent to another if the primary one fails or becomes unreachable for any reason. This failover capability is automatic, resulting in zero downtime and no manual intervention needed, thereby ensuring continuous service availability.

 

Scalability

  • As an organization grows, the number of user authentication requests can increase dramatically. Deploying multiple Okta IWA agents on various servers enables the authentication infrastructure to scale with the organization, managing increased load efficiently while maintaining performance levels.


Considerations

  • Okta IWA DSSO is only available in the Okta Classic Engine. The Okta Identity Engine (OIE) does not allow IWA DSSO. 
  • Okta has deprecated IWA DSSO in favor of Agentless DSSO (ADSSO), which eliminates the burden of using an IWA Agent. ADSSO is available in both Okta Classic and OIE.
  • In a Classic Org, if both ADSSO and IWA DSSO are configured, IWA is used as a fail-over to ADSSO. If IWA also fails, it fails over to the Okta default login.
  • IWA is not available in OIE. If ADSSO fails, it will fail over to the Okta default login.

 

Related References

Recommended content

Still looking for help?
Loading
Using Multiple Okta IWA Web Agents