MatthewC.51720 (Customer) asked a question.
How to make Desktop SSO work with sites on zScaler
My company is deploying SDWAN and zScaler to our remote sites. With this change the internet traffic from those site will no longer be going through our datacenter so the public IPs of those clients will now be zScaler IPs and not our DC gateway. This will make clients at those sites appear to be "Out of Zone" to Okta and the desktop SSO and/or IWA redirects will no longer work. Adding the zscaler proxy IPs to the trusted proxy list doesn't work as there is nothing in the IP headers tying the clients back to our Datacenter IPs. Has anyone else run into this a figured out a solution to get desktop SSO working in this situation?
Hello @MatthewC.51720 (Customer) Thank you for reacting out to our Community!
You can use a VPN for DSSO, please see our doc for this:
https://help.okta.com/en-us/Content/Topics/Security/network/define-iwa-network-zone.htm
If I recall correctly the gateway IP's need to be added in the Trusted IP's as well.
Community members help others by clicking Like or Select as Best on responses. Try it today.
Watch and Learn: New Okta how-to videos, plus what's new this month in the May newsletter.
Thank you but the article you linked doesn't really address my issue. I have a network zone configured pretty much as described there and it worked when the internet traffic from our sites was routed back through our datacenter and out our gateway. Client's traffic was coming from a know company owned IP address. Now that traffic never touches our datacenter. It goes straight out a zscaler tunnel to the internet at the site. The IPs associated with that traffic are all shared zscaler proxy IP addresses and there is nothing linking it back to a company owned IP that I can use to define it as in zone.
Have you added the gateway IP's into the Trusted IP's on the same network?
Have you also configured a routing rule to this network, for DSSO?
No, I haven't added the gateway IPs to the Trusted proxies. I'll give that a try. Yes I do have a routing rule for DSSO. Thanks.
Please make sure you add the network to the routing rule as well
I have the routing rule configure as shown above. I added the gateway IPs to the Trusted proxies on that LegacyIPZone along with the zscaler proxy IPs. It still does not redirect for desktop SSO. I am fairly certian that is because it still does not see the client as in zone.
If you believe that everything is setup correctly, I would recommend to reach out to Support for additional investigation of the full configuration.