<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D50Z00008G7Um8SAFOkta Classic EngineOkta Integration NetworkAnswered2018-09-05T01:29:54.000Z2016-09-12T17:01:19.000Z2018-08-12T04:16:18.000Z

CalebS.77480 (Customer) asked a question.

Edited by varun.kavoori1.5210444522562532E12 September 5, 2018 at 1:19 AM
Locking down SharePoint
We are trying to setup SharePoint online so it is only accessible internally by our users, so they are unable to access it from outside our network.  We have not setup the WS-Federation with Office 365 and have setup the built-in SWA application for SharePoint (with the IP restrictions), but when we manually access SharePoint (without logging into Okta) we are still able to login when off network.

 

Is there a way to set this up so whenever users go to our SharePoint site off network, they are denied access?  Do we need to proceed with the WS-Federation to make this possible?
  • 3 answers
  • 1.03K views

  • Wils (Okta, Inc.)

    When using WS-Federation (or SAML), Okta will always be in the authentication flow. If the user needs to acquire a new session for the app, the app will redirect to Okta and Okta will either grant access, deny access, or ask for step-up authentication (MFA). You can setup an app signon policy for your SharePoint app in Okta to deny access if they are off network and because Okta will be involved in each authentication request, they will not be able to get new SharePoint sessions. I would also make sure that your SharePoint session settings are configured to your liking, such that a user cannot login from your network, go home, and continue to have access through that session (assuming that matters to you).
    Expand Post
    Selected as Best

  • Wils (Okta, Inc.)

    Hi Caleb,

     

    In SWA apps, if you go directly to the app and the user knows the password, because Okta is (and can't be) in that flow, we cannot do anything to protect access. The best solution would be to use WS-Federation to guarantee that Okta is in the flow and remove passwords as a way to access that application. 

     

    Hope that helps,

    Wils
    Expand Post

  • CalebS.77480 (Customer)

    Thank you for the quick reply Wils!

     

    So with the WS-Federation, is it safe to say that when a user in the organization tries to access SharePoint from outside our network (as long as we have the policies setup correctly), they would be denied access?

  • Wils (Okta, Inc.)

    When using WS-Federation (or SAML), Okta will always be in the authentication flow. If the user needs to acquire a new session for the app, the app will redirect to Okta and Okta will either grant access, deny access, or ask for step-up authentication (MFA). You can setup an app signon policy for your SharePoint app in Okta to deny access if they are off network and because Okta will be involved in each authentication request, they will not be able to get new SharePoint sessions. I would also make sure that your SharePoint session settings are configured to your liking, such that a user cannot login from your network, go home, and continue to have access through that session (assuming that matters to you).
    Expand Post
    Selected as Best
This question is closed.
Loading
Locking down SharePoint