JijoJ.53310 (Customer) asked a question.
I have multiple IWA in multiple location which cannot access by each other location, only same location client can be access their own IWA. Is there a way we can rout the traffic based on client IP, so that each client will authenticate their own location IWA.
Hi,
You can use the Global redirect feature of IWA where Okta detects that a user is seen to be on an internal registered IP address (i.e. to determine if the users on the internal network or not). Once that’s been detected (and you can register up multiple IP addresses and or ranges of addresses), the next thing is to direct the user to the right IIS web server where the Integrated Windows Authentication (IWA) module is running. We do this by a “Global Redirect”.
The information here describes the Global Redirect URL option for Desktop SSO. This feature allows untrusted domains to use Desktop SSO.
https://help.okta.com/en/prod/Content/Topics/Directory/Configuring_Desktop_SSO.htm
When “Use global redirect URL” is selected, Okta gives customers the flexibility to resolve and loadbalance Okta IWA servers. This flexibility allows untrusted domains to use Desktop SSO. In the screenshot above, I’ve configured a global redirect URL of http://oktadesktopsso.company.com, which is a nonexistent target. The customer shall create a CNAME DNS entry for this URL at each domain where there are IWA servers. Ideally, each domain will have multiple IWA servers installed, and the CNAME entry will point to a loadbalancer URL that fronts the IWA servers.As an example, consider the following scenario. Let’s say there are two untrusted domains: abc.com and xyz.com. Domain abc.com has agent1, agent2, and agent3. Domain xyz.com has agent4 and agent5. All agents and gateway IPs from abc.com and xyz.com are registered with Okta. When a user from abc.com hits Okta, Okta will redirect the user to http://oktadesktopsso.company.com. The DNS server/load balancer at abc.com will redirect to either agent1, agent2, or agent3. When a user from xyz.com hits Okta, Okta will redirect the user to http://oktadesktopsso.company.com. The DNS server/load balancer at xyz.com will redirect to either agent4 or agent5.
Hello Fabian Bahna, Thanks for the advice, My case one domain and multiple NLB based region. e.g. US NLB-1, Asia NLB-2, Europe NLB-3 and client can connect to their own region. As per my understanding global redirect will be specific to one URL. I'm looking is there a way the traffic can be redirect to based on user traffic like AD agent send delegated authentication request to nearest agent..
We use cookies to provide the best website experience and to help understand marketing efforts. We may also share data with ad partners to reach potential customers across the web. To learn more, visit our Privacy Policy. Click here for Your Privacy Choices. You may also opt out of this sharing by signaling your preference via GPC, applicable only to the browser signaling the opt-out.
More information
These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.
These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.
Select All
We use cookies to provide the best website experience and to help understand marketing efforts. We may also share data with ad partners to reach potential customers across the web. To learn more, visit our Privacy Policy. Click here for Your Privacy Choices. You may also opt out of this sharing by signaling your preference via GPC, applicable only to the browser signaling the opt-out.
More information
These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.
These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.
Select All
Hi,
You can use the Global redirect feature of IWA where Okta detects that a user is seen to be on an internal registered IP address (i.e. to determine if the users on the internal network or not). Once that’s been detected (and you can register up multiple IP addresses and or ranges of addresses), the next thing is to direct the user to the right IIS web server where the Integrated Windows Authentication (IWA) module is running. We do this by a “Global Redirect”.
The information here describes the Global Redirect URL option for Desktop SSO. This feature allows untrusted domains to use Desktop SSO.
https://help.okta.com/en/prod/Content/Topics/Directory/Configuring_Desktop_SSO.htm
When “Use global redirect URL” is selected, Okta gives customers the flexibility to resolve and loadbalance Okta IWA servers. This flexibility allows untrusted domains to use Desktop SSO. In the screenshot above, I’ve configured a global redirect URL of http://oktadesktopsso.company.com, which is a nonexistent target. The customer shall create a CNAME DNS entry for this URL at each domain where there are IWA servers. Ideally, each domain will have multiple IWA servers installed, and the CNAME entry will point to a loadbalancer URL that fronts the IWA servers.As an example, consider the following scenario. Let’s say there are two untrusted domains: abc.com and xyz.com. Domain abc.com has agent1, agent2, and agent3. Domain xyz.com has agent4 and agent5. All agents and gateway IPs from abc.com and xyz.com are registered with Okta. When a user from abc.com hits Okta, Okta will redirect the user to http://oktadesktopsso.company.com. The DNS server/load balancer at abc.com will redirect to either agent1, agent2, or agent3. When a user from xyz.com hits Okta, Okta will redirect the user to http://oktadesktopsso.company.com. The DNS server/load balancer at xyz.com will redirect to either agent4 or agent5.