cpj24 (cpj24) asked a question.
We are looking at implementing IWA in our environment. We setup IWA in our preview tenant to see how it operates. At one point we had an issue with our IIS configuration on the IWA Agent host. While IIS was down, the entire preview tenant was unavailable. I shut off the web server to see if the web agent being offline would change behavior, but it did not.
I know it is possible to setup IWA to only be active on select applications, which would allow access into management, but if there is an issue with IIS or the web server, those applications would still be unavailable.
Within the IWA configuration there are three options:
Only use the primary.
Redirect to Backup IWA.
Redirect to this URL.
There is no, "use username and password as if IWA weren't configured" or similar.
It seems like this is a no-brainer that a convenience function should not represent a risk of complete loss of service if it becomes unavailable. That suggests I'm missing something or misunderstanding how the options are supposed to work. How do others have IWA configured? What do you do if your web server running the agent goes down?
I was indeed missing something.
I now see that there is a line at the top of the On-Prem Desktop SSO section that says "You can always sign in to Okta using the standard sign-in page at https://<org>.okta[preview].com/login/default."
That resolves the issue of not being able to access the admin console when IWA breaks, since you can always get there even if IWA is enabled and broken. Unfortunately, it still would require going in to manually change the IWA setting for an application, which isn't desireable.
I played with the "Only redirect to the following URL" setting, thinking maybe that was a redirect in the event IWA broke. Unfortunately, that is not the case. That is a constant redirect, whether the IWA agent is up or not. (Oddly, it also throws an Okta-specific 404 page when redirecting to https://<org>.okta[preview].com/login/default, but you can go directly to https://<org>.okta[preview].com/login/default without issue.)
It seems that a backup IWA may be the only option.
To provide an update on this.
I was able to configure two IWA agents in our Preview environment. That reduces the risk of a no-authentication scenario.
In the process I found that the AD agent is monitoring the IWA Agent. The monitor is a 10 minute cycle. This means that it takes 10 minutes for Okta to recognize an IWA agent as unavailable and failover to the backup.
Okta support confirmed that 10 minutes is the setting and that it is not adjustable and directed me to two Okta Ideas.
https://ideas.okta.com/app/#/case/106958?section=requests
https://ideas.okta.com/app/#/case/106005?section=requests
Unfortunately this means that using IWA Agents could result in users being unable to authenticate for up to ten minutes while the monitor is inactive. Because the redirect is to an internal web-page, there is nothing that is able to identify the page is down and send a user to a normal login page, they just receive whatever web-host error is appropriate for the situation.
I'm currently trying to get Agentless DSSO configured to see if it operates more reliably.