This article explains the X-Forwarded-For (XFF) header and how it relates to Okta.

• X-Forwarded-For Header

The public IP address of the app is automatically used as the client IP address for the request. Okta supports the standard X-Forwarded-For HTTP header to forward the originating client's IP address if the app is behind a proxy server or acting as a sign-in portal or gateway.

NOTE: The public IP address of the trusted web app must be a part of the allowlist in the org's network security settings as a trusted proxy to forward the user agent's original IP address with the X-Forwarded-For HTTP header.

Related References

• How Okta Evaluates the IP Address while Using an IP Zone in a Policy
• IP Address
• Getting the most out of Okta ThreatInsight
• Securing RADIUS Authentication Against Malicious Logins