Organizations experience a challenge in making applications easily available anytime and anywhere while also maintaining the balance between access security and user experience. Today, application access patterns have moved towards an expectation of being accessible seamlessly for home workers and via mobile apps at any time from anywhere, and this expectation applies to applications even if deployed on-premise, traditionally requiring network access or VPN connection.
By utilizing identity and access management, it is possible to manage application access for all applications — SaaS, Cloud, or on-premise — from a single place with policies configured that suits the organization’s needs.
Okta, the leader in identity management, enables organizations to implement single sign-on and multi-factor authentication across their applications. A strength of Okta is its many integrations with applications. However, with on-premise or legacy applications, this may pose some challenges.
Progress Kemp LoadMaster integrates seamlessly with identity providers such as Okta enabling any application anywhere to be protected. By implementing this on the LoadMaster at the edge of the network, you can:
Configuration of pre-authentication of any app using Okta is simple. In this example, I have an application currently being published through the LoadMaster using the URL https://testapp.barglee.com
If you do not already have an Okta account, create a free trial. Then login to the Okta admin portal and click on “Create App Integration,” then select “SAML 2.0.”
You will now configure the application. Begin by naming the application and configure the following settings:
Once configured, click “Next,” then “I’m an Okta customer adding an internal app,” then “Finish.”
You can export data via the settings page. On the settings page, right-click on “Identity Provider Metadata” and Save As. This can be used later to simplify the LoadMaster configuration. Next, click on “View Setup Instructions” and “Download Certificate” to save.
Finally, you should assign users to the application. Under assignments is where you will do this. Go to “Assignments – Assign to People” and select who should have access to the application.
Now you can move on to configuring the LoadMaster.
Navigate to “Virtual Services – Manage SSO – Add new Client-Side Configuration.” You will need to give this a name.
Set the authentication protocol to “SAML” and IDP provisioning to “MetaData File” and upload the file downloaded from Okta. It will populate the required fields.
Upload the Okta Certificate to the LoadMaster Intermediate Certificates by navigating to “Certificates and Security – Intermediate Certificates” and select “Choose File.” Upload the certificate file downloaded from Okta and name it.
Navigate to the SSO domain created and under “IDP Certificate” select the certificate you just uploaded.
Next, Navigate to the specific virtual service and “View Modify Services – ESP Options” and select “Enable ESP.” Set client authentication mode to “SAML” and “SSO Domain” to the one created.
Set “Allowed Virtual Hosts” to the hostname of the app and set the allowed directories.
If you would like a specific URL on the application to trigger the users session to end and logout of Okta SSO, this can be done by specifying the logoff URL in the ESP configuration in the virtual service under “Logoff String.”
To trigger this to initiate a logout on Okta, you can set a logoff redirect in the SSO configuration for which clients will be sent when they access the logoff URL set which will trigger a full logout.
Download the LoadMaster Free 30-day trial to create a proof-of-concept integration with Okta authentication services. The LoadMaster support team is available to assist you with any questions.