The Secret Features of Okta Access Gateway: Part 3: Maintenance Mode

At Okta, we love to secure access to everything, from cloud apps, to consumer apps, to servers, and infrastructure—from a single platform. And that, of course, includes on-premises apps. In our new series The Secret Features of Okta Access Gateway, we’re going to explore some of the best secret features of Okta Access Gateway (OAG) to secure access to on-prem web apps, at scale.

OAG is a solution to secure access to on-prem web apps and the hybrid IT with Okta SSO and Adaptive MFA. If you want to learn the basics about OAG before diving in, click right here.

Each post in this 5-part series will be delivered by a specialist with strong experience using these secrets in the field. And to help you navigate through all the information, we’re framing the posts based on the following key areas:

Part 3

In this post, we’ll explore the application maintenance mode feature of the OAG.

The Challenge: When application maintenance is in progress, display a user-friendly notice to your users—not a broken page

In the process of maintaining a healthy and secure IT environment, many organizations need to temporarily bring their on-premises applications down. Activities that may cause unavailability for on-prem apps include (but are not limited to):

  • Security patches or major upgrades to the app
  • Security patches or upgrades to the application running the operating system, middleware, database, or network
  • App migration to other data centers or infrastructure-as-a-service providers
  • Tests or transitions to a disaster recovery environment
  • An app outage

During the unavailability period, communication is key. Ideally, you should inform your users of what is happening and what they can do during an outage. However, most organizations stick with the default error pages provided by their on-prem apps:

ufyezut9Zyse4SCaBsZE5TwQAXaVBa9ElciR0bfga3Ru08XjI2oPMGh3WtcBq s36cSPWuCb6pFW8oBwSG5VO R9BUTWZ8sbN EDHSKEynwSXS1oKDE7RSlW04M298711DFGbE5g
Error pages may reveal critical information about your internal systems!

These pages do not help users and can lead to a peak in help desk calls—especially in apps that return a blank page upon error; aka, the “White Screen of Death”. Even worse, some error pages, like standard error pages from your HTTP or Application Server, may reveal critical information about your systems. These messages can easily be used by hackers to attack your servers.

The Solution: Application maintenance mode

Since the application may not be available to users during the upgrade process, OAG offers 'Maintenance mode’. With this feature, OAG Administrators can switch apps to maintenance and provide a more friendly message to end-users.



This allows visitors to immediately see that your application is temporarily offline. Furthermore, it allows administrators to set custom maintenance mode pages, perhaps with a message stating when the site will be available again or the reason for the required maintenance. You can also hold contact and other useful information for users. These are all ways you can keep supporting your users, even in down times.

Because this is an application-specific configuration in OAG, when an application is in maintenance mode, other applications are not impacted.

What does it look like?

Configuring application maintenance mode

OAG allows you to define the end-user experience when an application is in maintenance mode. This is done via the OAG admin console in the application behavior configuration section, and can be updated anytime.

lAwuEwUwOcmQTCbGAGXtkp3ChceMj16z4xdBiTC3KVqg8a1N8QbcSecjrG4wbEoM3Y4Y1Sw145wjKn9LVVFw1M2jMjK8 4RkeaIZR8ci7 jExH2QzogfoZs8jaJ5qCN6po2D9Q3Z

The Default Application Maintenance page option (when maintenance mode is enabled) shows end users default Okta Access Gateway application maintenance page, shown below.

2oDiuQq22B IHBkwnRYBwi21GY3ztJOdY9fq4BkCPQOnnrQHNWazdjhA8pZ sIRAlPKk1pfnoB2muHK7utNU03BIGjXAb88YR7r4sLDEnr7ibdghcZkKzOX FMLAu6ltEdrv1GfR

The Redirect to custom URL option (when maintenance mode is enabled) allows you to redirect users to a custom URL, where you can deploy your own custom page, which can include support contact and other useful information.
QmDHUBNSW2cVr0PiLHwmXM0mEKQG6MrGxSay6eusOW7tYnAvCnnALrCztIyhZCc8GMTK5DiZ9K55Wb3GmXIgI7PWEy7qBAmcSw57khtQpA0NKkPrkiqcSnm om6CFmSPb4ftq2Xn

Activating application maintenance mode

Switching applications to maintenance mode can be done via the OAG admin console in application configuration section as shown below.

Gs1HOdWKSIRHarpEcpqA0nwrGhfwp sJXYDjCZ6UX2Mhu81mfcdlxbuVyVXR1ME7qFyBX32OpDRIvzjmuRkMgD4W4h3iLZunYiuD9siCo lWTjTORmihF1cqdEBW9H0mlW qjt i

Enabling or disabling maintenance mode does not require that you re-configure other application settings.

With maintenance mode, you can turn-off app integrations in OAG for upgrades, while providing users with a friendly and actionable error handling. And, as always, this feature is are native and does not require that you jump through hoops or trick the system to keep things together.

So, if you want to really dig deep into how Access Gateway works, check out this on-demand webinar—there's a cool demo in it. ;-) And if you liked this post, look out for the other 4 secret features of Okta Access Gateway! In Part 4: Anonymous Access, Kevin Butler, a Principal Sales Engineer, explains how to allow tailored access for every user scenerio.