<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D51Y00006sksgFSAQOkta Classic EngineSingle Sign-OnAnswered2025-03-30T09:09:38.000Z2019-10-29T22:57:57.000Z2019-11-09T02:59:41.000Z

00ueuc93x4Cm8One20h1.5251321845916467E12 (Customer) asked a question.

October 29, 2019 at 10:57 PM
Restricting native portal logins

You setup SSO with Okta to sign into office or gsuite. What sort policies and mechanisms are there that would restrict accessing those services only through the Okta sign in portal?

If you have policies configured in Okta to force MFA or restrict geos, what's stopping someone from going directly to the service and logging in without Okta? Is this a default configuration or require more configuration by an IT admin?

How does this get enforced on the integrated service (office/gsuite in this case)?

thx!

  • 3 answers
  • 870 views

  • oxptp (oxptp)

    At a basic level, the application (service provider) would now look to Okta (the identity provider) to decide if a user should be allowed access. Without the approval of Okta (successful authentication) the user wouldn't be able to access the service. If the user doesn't fit within the security controls you've setup they wouldn't be allowed in. This is assuming that you're using SAML with G Suite and WS-Federation with O365.

     

    Regarding if this is a 'default configuration' or not, that would depend on the application. I always recommend referencing the documentation for each application to make sure that authentication is restricted to SSO only. With G Suite and O365 specifically, if SAML/WS-Fed are used then users would be restricted to SSO only by default.

    Expand Post
    Selected as Best

  • oxptp (oxptp)

    At a basic level, the application (service provider) would now look to Okta (the identity provider) to decide if a user should be allowed access. Without the approval of Okta (successful authentication) the user wouldn't be able to access the service. If the user doesn't fit within the security controls you've setup they wouldn't be allowed in. This is assuming that you're using SAML with G Suite and WS-Federation with O365.

     

    Regarding if this is a 'default configuration' or not, that would depend on the application. I always recommend referencing the documentation for each application to make sure that authentication is restricted to SSO only. With G Suite and O365 specifically, if SAML/WS-Fed are used then users would be restricted to SSO only by default.

    Expand Post
    Selected as Best

  • 00ueuc93x4Cm8One20h1.5251321845916467E12 (Customer)

    Thanks Kevin, its got to know that if SAML/WS-Fed are used then users would be restricted to SSO only by default.

     

    You mentioned: 'I always recommend referencing the documentation for each application to make sure that authentication is restricted to SSO only' . Which piece of documentation are you referring to? I'm trying to find where that's getting enforced.

     

    Expand Post

  • oxptp (oxptp)

    The documentation would change per vendor/application, but Okta is generally very good with providing application specific docs. If you navigate to the desired application in Okta, then click the 'Sign On' tab, you will usually see a button that says "View Setup Instructions". If you view the G Suite SAML instructions you will see a message at the top of the screen indicating SAML would affect all users who are not Super Admins. I've also linked this below for quick reference.

     

    A different example is an application like HubSpot. This application supports SAML SSO but has an additional check box in HubSpot which must be selected in order to force it. If the button is not checked users would still be able to auth with standard credentials, which would not be desired. This is called out in the HubSpot hosted docs, but not the Okta hosted docs, so this is an example where checking another source revealed a step that was needed to 'require' SSO. I've linked both versions below so you can compare the difference.

     

    GSuite: https://saml-doc.okta.com/SAML_Docs/How-to-Enable-SAML-2.0-in-Google-Apps.html?baseAdminUrl=https://sada-admin.okta.com&app=google&instanceId=0oa12auqnpT76zz9o357

     

    HubSpot: https://knowledge.hubspot.com/account/can-i-use-single-sign-on-sso-with-hubspot

     

    HubSpot (Okta): https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-HubSpot.html

    Expand Post
This question is closed.
Loading
Restricting native portal logins