00u1h1ysxpde599NB0h1.5627716657856453E12 (Customer) asked a question.
My firm leverages Okta (SSO) and Netskope (Secure Web Gateway). Prior to moving to Netskope, we leveraged an on-premise web proxy, so our policies within Okta stated that when you were coming from an office (trusted) IPs, we did not step up with MFA.
Since moving to Netskope, a multi-tenant cloud infrastructure, we do not want to add the entire range of source IPs for the vendor since they are shared. We are unable to create policies leveraging Okta Proxy IPs (https://support.okta.com/help/s/article/How-are-the-Proxy-IPs-in-the-Network-Zones-used-in-Okta?language=en_US) because it appears that Okta is not able to determine the true source IP for Netskope.
We have the dialog opened with Netskope on this, but has anyone come across this before?
I should add that Okta can see the Proxy IP chain when the Netskope client (agent) is used, but not with IPsec that employees in our office locations traverse.