Hello:

I am working to implement a ZT security product into an Okta environment. Essentially the only way for this to work without caveats or issues is to use a routing rule to send everyone and everything through the product. What that does is sends an AuthN request to Banyan which redirects to Okta for user attributes. It then forwards the user (if it passes the product's checks) back to Okta for authentication into whatever the user wants to access. However, we have a use case where we only want to send specific applications through that flow and not all of okta. Selecting single applications in the routing rules only work if the user has NO okta session. Which our users use the dashboard so they will always have a session before accessing apps.

The routing rules also add a lot of redirects. Okta (routing rule) > ZT (needs user attributes) > Okta (Login) > ZT (Device trust/Policy check) > Okta/Destination App. This would be okay if we could narrow the scope of the rules to specific apps, but we can't. Doing it based on a user also results in the user's being prompted for their email twice due to the check on the user Okta hs to do before sending it into a routing rule.

However, if we use IDP factor, it doesn't force users to use that AND okta verify....it's one or the other. A global policy will affect the attribute gathering connection to OKTA and will loop infinitely. So that feature is pretty useless to me in this scenario.

Using a proxy app for every single application works but that adds a ton of overhead and complication to our Okta and ZT environment.

With other IDPs such as PingFederate you can implement an IDP as a policy step using the user attributes already obtained from the initial login, thus making it seamless to the user, which works great. However, I have not been able to find a solution to allow this configuration to work well with Okta.

Would love to hear any ideas!