The Secret Features of Okta Access Gateway: Part 3: Maintenance Mode

At Okta, we love to secure access to everything, from cloud apps, to consumer apps, to servers, and infrastructure—from a single platform. And that, of course, includes on-premises apps. In our new series The Secret Features of Okta Access Gateway, we’re going to explore some of the best secret features of Okta Access Gateway (OAG) to secure access to on-prem web apps, at scale.

OAG is a solution to secure access to on-prem web apps and the hybrid IT with Okta SSO and Adaptive MFA. If you want to learn the basics about OAG before diving in, click right here.

Each post in this 5-part series will be delivered by a specialist with strong experience using these secrets in the field. And to help you navigate through all the information, we’re framing the posts based on the following key areas:

In this post, we’ll explore the application maintenance mode feature of the OAG.

The Challenge: When application maintenance is in progress, display a user-friendly notice to your users—not a broken page

In the process of maintaining a healthy and secure IT environment, many organizations need to temporarily bring their on-premises applications down. Activities that may cause unavailability for on-prem apps include (but are not limited to):

• Security patches or major upgrades to the app
• Security patches or upgrades to the application running the operating system, middleware, database, or network
• App migration to other data centers or infrastructure-as-a-service providers
• Tests or transitions to a disaster recovery environment
• An app outage

During the unavailability period, communication is key. Ideally, you should inform your users of what is happening and what they can do during an outage. However, most organizations stick with the default error pages provided by their on-prem apps:

Error pages may reveal critical information about your internal systems!

These pages do not help users and can lead to a peak in help desk calls—especially in apps that return a blank page upon error; aka, the “White Screen of Death”. Even worse, some error pages, like standard error pages from your HTTP or Application Server, may reveal critical information about your systems. These messages can easily be used by hackers to attack your servers.

The Solution: Application maintenance mode

Since the application may not be available to users during the upgrade process, OAG offers 'Maintenance mode’. With this feature, OAG Administrators can switch apps to maintenance and provide a more friendly message to end-users.

This allows visitors to immediately see that your application is temporarily offline. Furthermore, it allows administrators to set custom maintenance mode pages, perhaps with a message stating when the site will be available again or the reason for the required maintenance. You can also hold contact and other useful information for users. These are all ways you can keep supporting your users, even in down times.

Because this is an application-specific configuration in OAG, when an application is in maintenance mode, other applications are not impacted.

What does it look like?

Configuring application maintenance mode

OAG allows you to define the end-user experience when an application is in maintenance mode. This is done via the OAG admin console in the application behavior configuration section, and can be updated anytime.

The Default Application Maintenance page option (when maintenance mode is enabled) shows end users default Okta Access Gateway application maintenance page, shown below.

The Redirect to custom URL option (when maintenance mode is enabled) allows you to redirect users to a custom URL, where you can deploy your own custom page, which can include support contact and other useful information.

Activating application maintenance mode

Switching applications to maintenance mode can be done via the OAG admin console in application configuration section as shown below.

Enabling or disabling maintenance mode does not require that you re-configure other application settings.

With maintenance mode, you can turn-off app integrations in OAG for upgrades, while providing users with a friendly and actionable error handling. And, as always, this feature is are native and does not require that you jump through hoops or trick the system to keep things together.

So, if you want to really dig deep into how Access Gateway works, check out this on-demand webinar—there's a cool demo in it. ;-) And if you liked this post, look out for the other 4 secret features of Okta Access Gateway! In Part 4: Anonymous Access, Kevin Butler, a Principal Sales Engineer, explains how to allow tailored access for every user scenerio.