How To Protect On-prem and Hybrid Cloud Apps with Okta (Fast)

Okta has always made protecting cloud applications easy; and with the introduction of Okta Access Gateway we extend that protection to on-premises applications. In this article, I cover how Access Gateway delivers Okta Single Sign-On (SSO) and Adaptive Multi-factor Authentication (MFA) to the hybrid cloud fast, and without changing how your on-premises apps work today.

The Challenge

We started Okta with a mission: securely connecting people to the right technology, at the right time. To accomplish our mission at scale, while getting high adoption from organizations, we invested in standards-based integrations such as SAML and OpenID Connect, alongside a native catalog of integrations: the Okta Integration Network (OIN). Today, supporting standard integrations, SSO, and provisioning is table stakes for any cloud service. And that’s why our catalog supports more than 6,000 cloud applications natively.

The ease of integrating with cloud apps pushed the boundaries towards on-prem apps. Several of our customers gave us the same feedback: “I love the simplicity of accessing cloud apps with Okta. I just want that to work in my hybrid cloud environment without changing the on-prem app source code.” In other words, our customers want to:

  • Use Okta on any app regardless of its location: on-prem or in the cloud
  • Use Okta in heterogeneous environments: multi-cloud, hybrid cloud, and hybrid IT environments
  • Have a template-based integration with on-prem apps
  • Prevent changes in on-prem apps to support SAML or OpenID Connect

There are two major goals driving this request:

  • Use a single identity provider for all apps and retire legacy SSO solutions such as CA SiteMinder, Oracle Access Manager (OAM), PingFederate, and IBM Tivoli Access.
  • Enable remote access to on-prem apps without requiring a full-fledged VPN.

To protect on-prem apps without changing their code, we need to bridge the gap between on-prem apps and the integration standards supported by Okta in the cloud.

Introducing Okta Access Gateway

We built Okta Access Gateway to bridge the gap between cloud identity and on-prem applications:

The gateway acts as a reverse proxy between Okta and on-prem resources. On the on-prem side, the gateway connects to apps using integrations they natively support such as header-based authentication, URL authorization, and Windows authentication. On the cloud side, the gateway connects each application to Okta, using the secure standards broadly adopted by SaaS platforms.

In addition to bridging the gap between cloud and on-prem, the gateway also provides a native app catalog with out-of-the-box integrations with popular on-prem solutions, such as Oracle e-Business Suite, PeopleSoft, Qlik, and WebLogic. This makes it easy to deliver Okta SSO and Adaptive MFA to applications on-prem—without changing how those apps work today.

The gateway also helps customers with using a single identity provider for complex environments like hybrid cloud, multi-cloud, or hybrid IT environments, reducing costs by collapsing the Web Access Management (WAM) infrastructure, improving security with consistent policies, and reducing vendor risk by migrating out of on-prem SSO solutions.

How it works

With Access Gateway, on-prem apps are exposed in Okta like any other app. Users can use SSO through Okta and launch apps from the End User Dashboard, as well as accessing the app directly:

Access gateway process

Here’s an example of how a user can launch an on-prem app from the Okta dashboard.

And since the gateway relies on Okta for SSO, we can use everything from Okta: From customizations (i.e., domains, UI), to multiple identity providers and routing rules, to adaptive MFA. Here’s an example where a user accesses an on-prem app and is prompted with passwordless authentication for login in Okta.


What it means for you

With Access Gateway, you can protect your on-prem apps with Okta without changing how those apps work today. The gateway allows you to use Okta as the single identity provider for your complex environment—whether its hybrid cloud, hybrid it, or multi-cloud—with a cloud to ground protection, reducing costs, improving security with consistent policies, and reducing vendor risk by migrating out of legacy SSO solutions.

Interested in learning more about Access Gateway? Check out our product page for all the details! Want to understand how you can use Okta to replace legacy SSO approaches like web access management (WAM)? Read our datasheet. Excited to get Access Gateway into your tenant? Simply reach out to us.