<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D50Z00008C3jbhSABOkta Classic EngineSingle Sign-OnAnswered2024-04-23T16:15:28.000Z2017-05-16T21:09:08.000Z2019-07-24T14:48:38.000Z

CarlM.28001 (Customer) asked a question.

May 16, 2017 at 9:09 PM
Need only 1 app to authenticate users bypassing desktop sso
I have one app that management has asked if this app can prompt for credentials (bypassing desktop sso) on every login for this specific app, how can this be acheived?
  • 7 answers
  • 1.75K views

  • Jim Knutson - Okta (Okta, Inc.)

    You could create a bookmark application to just gue users to a login page. I am not sure on the use case but If additioanl security is the goal, I would advise  using Multi Factor Authentication for this app, Where users would need to satisify an additional requiremernt of an MFA Policy to access the app. 

  • CarlM.28001 (Customer)

    Thank you for the response Jim.  I think I left out a few details that were obviously important.  The app only supports IDP initated flow, so if it were to redirect them to the login page, it would bypass sso all together.  We want users to be prompted for their active directory credentials every time they login to this specific app, and not the application credentials, much like it would work if we didn't have desktop SSO setup.  Hopefully that sheds some more light into the challenge I'm trying to resolve.
    Expand Post

  • th7vu (th7vu)

    Hi Carl,

     

    URL rewrite rules on IIS for Okta IWA webapp could help you.

    http://www.iis.net/downloads/microsoft/url-rewrite

     

    You can find some sample rewrite rules in your web.config:

    C:\inetpub\wwwroot\IWA\web.config

     

    From Okta DSSO guide:

     

    To attempt IWA authentication for specified clients, configure this action:

    action type="Rewrite" url="iwa.aspx?action=iwa"

     

    To skip IWA authentication for specified clients and redirect users to the Okta Sign-In page, configure this action:

    action type="Rewrite" url="iwa.aspx?action=okta"

     

    Regards,

    Jatin
    Expand Post

  • CarlM.28001 (Customer)

    Jatin,

     

    Thank you so much for this, I will work on this and update the string if I have success.

  • ukiob (ukiob)

    We want to do something similar but only allow SSO for installed outlook, skype 4 business, and onedrive. What did you find out Carl?

  • CarlM.28001 (Customer)

    to get it to work for just 1 app, I used the sign on rules, as I could never get the IWA above action to work.  It seemed to satisfy the use case requirement I had at the time.  I forced a reauthentication after XX minutes applied to all zones.

  • SivaDesetti (Waste Management)

    Yes, possible. Under Security --> Identity Providers -->Routing rules -- You should be able filter apps that does not need SSO. ( any small mistake will screw-up ) entire login behavior. Hope this helps

This question is closed.
Loading
Need only 1 app to authenticate users bypassing desktop sso