Secure On-Premises Solutions with Okta: Secret Features + a Preview

At Okta, we live to securely connect every organization to any technology. And that includes on-premises solutions. To secure these apps, we leverage Okta Access Gateway (OAG), a lightweight alternative to web access management (WAM) that provides cloud SSO and Multi-Factor Authentication (MFA) to on-prem web apps—without requiring changes in the source code.

Secret features to secure on-premises solutions

After releasing OAG, we asked Hybrid IT specialists to describe what best practices and key features they rely on to secure on-prem applications, then compiled their thoughts in a blog series we called The Secret Features of Okta Access Gateway. Missed it? Here are the key features they recommended:

• Multi-Datacenter/Multi-Tenancy: allows organizations to secure access regardless of how many environments they have.
• On-Premise Datasources: allows you to combine data from the cloud with on-premises data sources (such as databases and LDAP) for access decisions.
• Maintenance Mode: allows you to temporarily turn-off app integrations in OAG for on-premises app upgrades and maintenance, while providing users with a friendly and actionable error handling.
• Anonymous Access: lets administrators define “allow access” from both logged and un-logged users to specific on-premises apps and pages.
• Per-App Session Security: provides individual session settings per app, making it easy to tailor session timeouts without requiring expensive or complex solutions.

Reader reaction

From our customers and readers, we received two types of reactions.

"Wow! I didn't know that!"

As OAG is relatively a new product, we expected this reaction. These organizations have never had a cloud-based alternative to CA Siteminder or Oracle Access Manager (OAM) that could secure on-prem web apps without changing the app source code to support federation standards like SAML. We believe that, as people get used to using a single identity provider for their Hybrid IT, they’ll get familiar with these features.

"But you’re not covering the real secret feature of Access Gateway."

That is the most popular and interesting type of reaction we received! In each case, we countered with “Well, what do you think the real secret feature is?” To this, we got many answers. They ranged from the ability to secure on-prem apps with FIDO, to reducing VPN usage for remote web apps, to securing large apps like Peoplesoft or Weblogic without requiring additional LDAP, middleware, and database servers.

And now, it’s time for a new series :)

The feedback helped us to realize we needed a new series. One that would show simple examples and techniques of how OAG leverages all the cool innovations of the Okta Platform to secure on-prem web apps with cutting edge technology that is "The Secret Sauce of Access Gateway" (more details on the name after this post…)

Here are some of the examples we will cover in the series of blog posts to come:

• Passwordless access to on-premises web apps with OAG and Okta MFA
• Password spraying mitigation and account lockout prevention with OAG, ThreatInsights, and Pre-Authn evaluation policies
• Security posture best practices for on-prem apps with OAG and HealthInsights
• FIDO2, WebAuthn, and Biometric authentication on-prem with OAG and high assurance MFA
• Public VPN, Tor exit nodes, and adaptive protection to on-prem apps with network zones and behavioral access control
• Automatic incident response on on-prem apps with OAG and Okta workflows
• True headless on-prem environment with OAG and the LDAP Cloud Interface
• Future-proof architecture and how OAG will always leverage Okta innovations: from device signals, to deep EDR integrations, to FastPass, and much more.

As you can see, we have a lot to cover! So stay tuned as our specialists are getting those out. Meanwhile, check out our webinar on the 7 steps to SSO + MFA to on-prem apps with Okta Access Gateway or this blog post on how Okta boosts security for on-prem resources.

Your chance to weigh in (again)

It turns out our readers have strong opinions on OAG. We’ve spent a lot of time trying to capture a creative name that truly conveys all the cool things you can do to secure on-prem apps with Okta. Give us your thoughts on what we should call our new Secret Sauce of Access Gateway series! If you’ve got suggestions, hit my LinkedIn page. ;)