kbazp (kbazp) asked a question.
Okta Dynamic Network Zones recognize Geo locations for IPv6 address
We have a requirement to block access to sensitive applications in Okta from any other country but the United States. We were trying to use application specific signing policy with Dynamic Network Zone definition. The cleanup rule defined as block access from any other country. For some reason the IPv6 address assigned to workstation (geolocation NYC) is not recognized by Okta policy as valid US IP address and access to the application is blocked (Please see the screenshot below). Could you please advice if Okta Dynamic Network Zones can recognize Geo locations for IPv6 address?
Image is not available
Using OIE.
Although I do not see any reason why Okta could not accurately identify IPv6 addresses, they do state they leverage MaxMind for this service and encourage users to go there for accuracy issues.
This can be found here: About Dynamic Zones
For you, assuming you are setting your IP type to "any", and you are not using a single dynamic zone that includes two locations containing one another (i.e. NY & US), I do not see why this would not work for you.
In the logs, you are seeing NY? I would make sure the client is not using a VPN or anything of that sort too.
Any further information you could provide would be helpful beyond that, such as a snippet of your dynamic zone and the sign-on policy using it (either org or app level). Sometimes it can get confusing once you begin to layer policy on policy, so I would recommend reviewing them all as well.
Hopefully that helps! Look forward to your reply.
I'm using country based Dynamic Network Zone. Please see below
MaxMind has GeoIP for IPv6 in question.
Hello @kbazp (kbazp) Thank you for reacting out to our Community!
At this time IPv6 is not supported, please see this post here:
https://support.okta.com/help/s/question/0D54z00007UhQ92CAF/ipv6-support?language=en_US
The Okta Community Catalysts Program is now live. Collect online badges when you participate in the Okta Help Center Questions community. Learn more here.
Community members help others by clicking Upvote or Select as Best on responses. Try it today.
Ah, Understood. Is this something that is in the works? I see a few ideas suggesting this but they appear to be closed out/not fulfilled.
Thanks!
So IPv6 addresses are not recognized by Okta network zones? and as a result an access request from a client with IPv6 would be denied?
@paul.stiniguta1.508386743840768E12 (Okta, Inc.) For some reason Okta keeps closing any suggestion for IPv6 w/o any consideration:
https://ideas.okta.com/app/#/case/118195?section=requests
https://ideas.okta.com/app/#/case/126120?section=requests
https://ideas.okta.com/app/#/case/155943?section=requests
Do you have any info what happens with access requests which come from IPv6 clients only (w/o dual stack)?
Does Okta block requests? Does Okta create a log entry for IPv6 requests?
Seems like a pretty big gap in functionality for a leading SSO provider.
Thanks,
@kbazp (kbazp) The reason for closure of the idea is located on the top right hand side of the idea, please see one of the reasons below:
"Thank you for taking the time to share your feedback with us. At this time, we are not planning on building this into our feature set as it doesn’t fit into our current Okta product strategy. Please visit our product roadmap to learn more about what we’re currently up to."
Since this is not a supported feature at this time you might want to discuss this matter with your Account Executive/CSM for additional assistance.