MFA to On-prem Apps Fast and Easy with Okta Access Gateway

At Okta, we love to secure access to everything from a single platform. This, of course, includes on-premises apps.

As spoiled here, our specialists wanted to weigh in on how Okta Access Gateway (OAG) is at its best when paired with the features that make up the Okta platform. In other words, we’re giving you the Secret Sauce! This month, Regional Principal Solutions Engineer, Kevin Butler, takes on the recipe for using OAG to deliver modern MFA.

AYK7FVGwi6p6gQJEhe7oavT67lYhunuiRX6VgJcBqrW2vWDiXPC76YGgpVXqCrtT22BZj1eB RsmTu4bW1jpjRbJUTqZ OSTcEYM zIwc1Ra1nXbtCcJXUrjV33x1ASyaClys5M0

In this post, I’ll be showing you how OAG + Okta Adaptive Multi-Factor Authentication (MFA) policies can deliver modern MFA. Technologies such as biometrics, FIDO2, and push notifications are paired with on-premises apps to meet security compliance and prevent account compromises.

PS: For context, Okta Access Gateway (OAG) is a solution to secure access to on-premises web apps in a hybrid IT environment using Okta SSO and Adaptive MFA. If you want to learn the basics about OAG before diving in, click here.

The Challenge: Consolidate and use modern MFA on on-premises web apps

MFA is considered a mandatory security control by security specialists and many regulations (such as PCI-DSS and HIPAA). Why? Most data breaches are caused by account compromises such as phishing or credential theft

To implement MFA without compromising on security, cost, and productivity, organizations must be consistent in their security policies and modern authentication factors—for all systems.

However, when it comes to on-prem apps, there are two major challenges:

  1. Using unified MFA across on-prem web apps is very hard because each on-prem app requires different support and integration guides for authentication.
  2. Most on-prem apps only support legacy authentication factors that
  • Can be easily compromised by using security questions, bingo cards, and SMS
  • Are too expensive and hard to procure by using RSA or Symantec hardware tokens
  • Don't meet updated compliance requirements such as PCI-DSS 3.2.1

Due to these difficulties, many organizations stick with legacy MFA solutions, ignore securing on-prem applications, or adopt compensatory network controls with high impact on usability and performance.

Wouldn’t it be great to simply use the same security policies and modern MFA for all apps, keeping on-prem and cloud apps under the same security scope?

Dtduk5wiJMWf7HgvZLQcvD57UxoYgQiNCFpDLtoVg8MFczbsH8QAYLXtKFBVGDEkvr7PwtOwOb0wcBN2Quj7lxPt4vh zV W6WCDE2yua3cNiAARSO5n18Dk4iCKd2ityggbCs0j

The dream: using the same security policies and MFA for on-prem and cloud apps

The Solution: OAG + Adaptive MFA for unified security across on-prem web apps

By combining OAG’s ability to secure on-prem web apps, without changes in source code, with the Okta Adaptive MFA policies, organizations can secure their on-prem web apps using unified policies and modern security. This combination provides many benefits: from the ability to implement user behavioral detection and modern factors, to use passwordless access to on-prem web apps.

What does it look like?

Because OAG and Adaptive MFA are native features of Okta, configuring the solution is a snap! To secure the OAG on-prem apps with Adaptive MFA, just use the same Sign-On policies already available in Okta for cloud apps.

i2x2jRxeC5MINZY7 dDJ28z sv5ty3nKVNpYkcEgg5Ql7G48rsqqOyDflX3eEe3uPKx18GTRio ictYLnjgh4ulkuHVzZMXPPoYwAAi9059Pvul o4wZlUFxU8NYCGwV8SwiPRcC
MFA App Policy based on location over an Access Gateway on-premises application

And to control what MFA factors will be used to authenticate users, and implement features like passwordless access, you can use the rules and factor sequencing in the authentication policies. The following shows an example of policy with passwordless access.

DzbHCmEdSIlDrhGd9EnZMCA6qfRvjKyobdZHZAvNzyFBb6W66XFviZKn x1Nhy54BBOUJ8T96YkwUGcjfZBlpaUzvyC2u jjuWXWrxK32ckXUodOtDfkxdGFKqBSi6EDLL2 pPAW
Passwordless access with WebAuthn (i.e., Windows Hello, Apple Touch ID) based on location and access risk

Tip: Okta supports a very wide range of industry based factors, from SMS and OTP, through traditional and more modern tokens, to integration standards based FIDO1 & 2, WebAuthN, Smartcard/PIV. These MFA options allow for a range of access policies. The choices applied to web apps can be based on the sensitivity of the data and the service they provide.

Example of user experience:

yKWccZccRd83eGPHFvaKdZpKQFgGSxmqP3DVn2Ppu7Z cllAzfGfPhIJznSSf xnjYF4pEJuS6f 4BLlZsi6erk BSzgDDA96dsJNiDbMh7Fllkvt7MbVLr9M1ewi5BfxYhJ3p3U

By combining Okta Access Gateway with Adaptive MFA policies, you get a recipe for success through

  • Accessing on-premise apps
  • Improving the user experience
  • Bringing it in line with cloud and enterprise apps 

And, by using adaptive SSO and MFA policies, you gain centralized control and flexibility where needed—all without significant changes to the target on-premises application.  

Your SSO and MFA policies will be the common policies used across the organization, providing consistency. This makes for easier administration and access reviews too. You can apply these to internal applications, supply chain, B2B collaboration, or even customer facing applications, to enhance the usability on multiple devices while also improving the security posture.

Interested in a few secret features of Okta Access Gateway? Check out our previous series, Secure On-Premises Solutions with Okta: Secret Features + a Preview.