Organizations experience a challenge in making applications easily available anytime and anywhere while also maintaining the balance between access security and user experience. Today, application access patterns have moved towards an expectation of being accessible seamlessly for home workers and via mobile apps at any time from anywhere, and this expectation applies to applications even if deployed on-premise, traditionally requiring network access or VPN connection.
By utilizing identity and access management, it is possible to manage application access for all applications — SaaS, Cloud, or on-premise — from a single place with policies configured that suits the organization’s needs.
Okta, the leader in identity management, enables organizations to implement single sign-on and multi-factor authentication across their applications. A strength of Okta is its many integrations with applications. However, with on-premise or legacy applications, this may pose some challenges.
Challenges with On-Prem Applications
- Application Integration Support – Many legacy or custom applications may not support protocols required for integration with Okta such as SAML or OIDC. This makes it difficult to integrate these into an organization’s common single sign-on policy.
- Pre-Authentication – More concerning for admins is that for the typical flow of accessing an application, a user will initially access an application URL before being redirected to the identity provider to authenticate. The initial request must therefore be handled by the application before any authentication takes place. While access to the application may be protected, the application servers must still be published and exposed to the public, even for non-authenticated users. This is because no pre-authentication is done before passing requests to the application server.
A Solution
Progress Kemp LoadMaster integrates seamlessly with identity providers such as Okta enabling any application anywhere to be protected. By implementing this on the LoadMaster at the edge of the network, you can:
- Validate access to an application with Okta single sign-on (with or without Okta integration support)
- Can apply pre-authentication with Okta before allowing requests to reach the application servers
How to Integration LoadMaster and Okta
Configuration of pre-authentication of any app using Okta is simple. In this example, I have an application currently being published through the LoadMaster using the URL https://testapp.barglee.com
If you do not already have an Okta account, create a free trial. Then login to the Okta admin portal and click on “Create App Integration,” then select “SAML 2.0.”
You will now configure the application. Begin by naming the application and configure the following settings:
- Single Sign-On URL: https://testapp.barglee.com
- Audience URL: https://testapp.barglee.com
- Default Relay State: https://testapp.barglee.com
Once configured, click “Next,” then “I’m an Okta customer adding an internal app,” then “Finish.”
You can export data via the settings page. On the settings page, right-click on “Identity Provider Metadata” and Save As. This can be used later to simplify the LoadMaster configuration. Next, click on “View Setup Instructions” and “Download Certificate” to save.
Finally, you should assign users to the application. Under assignments is where you will do this. Go to “Assignments – Assign to People” and select who should have access to the application.
Now you can move on to configuring the LoadMaster.
How to Configure LoadMaster to Okta
Navigate to “Virtual Services – Manage SSO – Add new Client-Side Configuration.” You will need to give this a name.
Set the authentication protocol to “SAML” and IDP provisioning to “MetaData File” and upload the file downloaded from Okta. It will populate the required fields.
Upload the Okta Certificate to the LoadMaster Intermediate Certificates by navigating to “Certificates and Security – Intermediate Certificates” and select “Choose File.” Upload the certificate file downloaded from Okta and name it.
Navigate to the SSO domain created and under “IDP Certificate” select the certificate you just uploaded.
Next, Navigate to the specific virtual service and “View Modify Services – ESP Options” and select “Enable ESP.” Set client authentication mode to “SAML” and “SSO Domain” to the one created.
Set “Allowed Virtual Hosts” to the hostname of the app and set the allowed directories.
If you would like a specific URL on the application to trigger the users session to end and logout of Okta SSO, this can be done by specifying the logoff URL in the ESP configuration in the virtual service under “Logoff String.”
To trigger this to initiate a logout on Okta, you can set a logoff redirect in the SSO configuration for which clients will be sent when they access the logoff URL set which will trigger a full logout.
Getting Started
Download the LoadMaster Free 30-day trial to create a proof-of-concept integration with Okta authentication services. The LoadMaster support team is available to assist you with any questions.