<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D50Z00008G7V7dSAFOkta Classic EngineSingle Sign-OnAnswered2025-10-05T09:00:44.000Z2017-12-26T22:31:30.000Z2021-02-12T20:34:40.000Z

qnh3o (qnh3o) asked a question.

Edited by varun.kavoori1.5210444522562532E12 September 5, 2018 at 1:19 AM
SSO via Web?
Hi, I am curious if it is feasible to expose the IWA server to the web so that remote domain joined clients can use SSO when accessing VPN.  It's very annoying to have a user log into their laptop w/ cache credentials, and then have to re-enter those same credentials for Okta during VPN initialization.  It would be ideal if the SSO works at this stage, and that we layer 2FA on top of the VPN via Okta push or something like that....

 

A current workaround we are working on is pre-login VPN, but this is extremely clunky and proving to be a challenge.

 

Having a SSO solution that requires access to a specific server in back office seems unfeasible to me.  I must be misunderstanding something...?
  • 3 answers
  • 921 views

  • aleks.bulajic1.4896145077506367E12 (Okta, Inc.)

    Hi John,

     

    Thanks for reaching out to the Support Community today! While IWA Agent is designed to work primarily for users that are accessing the web from on-network devices, it is possible (though not recommended) to open the IWA server to the web to allow off-network devices. This would entail adding the IP addresses in the trusted network zone in Okta as well opening the external traffic on your network's firewall. Under these conditions, the previous off-network, domain-joined machine is now considered on-network and Desktop SSO will be enforced.

     

    As for 2FA, MFA enrollment policies can be defined under Security >> Multifactor, and MFA Sign-On Policies for RADIUS authentication can be further defined under Security >> Authentication >> Sign On tab.

    Reference link: https://help.okta.com/en/prod/Content/Topics/Security/MFA.htm

     

    Alternatively, MFA Sign-On policies for Radius authentication can now also be defined using the Radius App (access to the Radius App would need to be requested to and enabled by Support).

    Reference link: https://help.okta.com/en/prod/Content/Topics/Security/Okta_Radius_App.htm

     

    If you have any further questions that may be specific to your environment, I would defintely recommend opening a new case with Support for further guidance, otherwise, feel free to pose any additional questions here.

     

    Thank you!

     

    Aleks Bulajic

    Technical Support Engineer

    Okta Global Customer Care

     

    Expand Post

  • qnh3o (qnh3o)

    Excellent, thanks.  I might open a ticket, but curious if there's any way to have this cache the user for a given time period.  It might be a good compromise rather than trying to get SSO to work, we could prompt for password fewer times if Okta would just recognize the user somehow.

     

    So far, this is reset upon reboot even when you check "remember me".  If it allows them to save creds for at least a week or so that would be awesome.  We have so many factors (push, certs etc), that we are trying to actually bypass this step to save the user  from some annoyance 🙂

     

     0EM2A000000DzGA
    Expand Post

    • yi9tp (yi9tp)

      Did you ever come up with a solution for this? We're looking at a similar situation as you described in your original post.

This question is closed.
Loading
SSO via Web?