kdnfw (kdnfw) asked a question.
Zscaler issue
the scenario we are trying to resolve.
- In our OKTA Tenant, we have MFA Set at the org level.
- Our MFA Rules are: If you are ‘on network’ do not prompt for MFA. If you are ‘off network’ you get prompted for MFA
- On our Corporate Devices, we have an application called Zscaler that we use for Internet Access.
- TODAY – the Zscaler application is currently using ADFS and does not require MFA. When the user logs on to the workstation, they are automatically logged into Zscaler
- TOMORROW – When we migrate Zscaler to OKTA, the user will be prompted for MFA as they will not be on the network when they initially logon to their machines from home based on our OKTA rules
- The concern is that if they don’t accept the MFA prompt or cancel out of it, they will not be authenticated and could provide internet access to sites we currently block.
We are trying to understand, based on our configuration, if there is a way to automatically log the user into Zscaler and not prompt for MFA.
Hi @kdnfw (kdnfw) , Thank you for reaching out to the Okta Community.
If the devices are company managed and you can block all access *unless* the users sign in to Zscaler first, then you could attempt that approach and MFA would not be an issue even if it's required as it's a good security practice.
If you do not have that option, you might look into securing all your other resources managed through Okta behind a sign on policy that leverages the Zscaler IPs.
https://help.okta.com/en/prod/Content/Topics/Security/policies/about-app-signon-policies.htm
Have a great rest of the day!