MFA to On-prem Apps Fast and Easy with Okta Access Gateway

At Okta, we love to secure access to everything from a single platform. This, of course, includes on-premises apps.

As spoiled here, our specialists wanted to weigh in on how Okta Access Gateway (OAG) is at its best when paired with the features that make up the Okta platform. In other words, we’re giving you the Secret Sauce! This month, Regional Principal Solutions Engineer, Kevin Butler, takes on the recipe for using OAG to deliver modern MFA. 

Dhi3R rIe8b6rXkoGYeAE56F0tiJ7bzvOezQHSBG1lwWuDTiA8 1SRZjoBehNqwUu5CKrWdZ5iWyWC8W5PTQQl5B3JxJvB6XulhNX0s7Zyu4ok7s M6QTRcFxuAUa 81nlsPfBNI

In this post, I’ll be showing you how OAG + Okta Adaptive Multi-Factor Authentication (MFA) policies can deliver modern MFA. Technologies such as biometrics, FIDO2, and push notifications are paired with on-premises apps to meet security compliance and prevent account compromises.

PS: For context, Okta Access Gateway (OAG) is a solution to secure access to on-premises web apps in a hybrid IT environment using Okta SSO and Adaptive MFA. If you want to learn the basics about OAG before diving in, click here.

The Challenge: Consolidate and use modern MFA on on-premises web apps

MFA is considered a mandatory security control by security specialists and many regulations (such as PCI-DSS and HIPAA). Why? Most data breaches are caused by account compromises such as phishing or credential theft

To implement MFA without compromising on security, cost, and productivity, organizations must be consistent in their security policies and modern authentication factors—for all systems.

However, when it comes to on-prem apps, there are two major challenges:

  1. Using unified MFA across on-prem web apps is very hard because each on-prem app requires different support and integration guides for authentication.
  2. Most on-prem apps only support legacy authentication factors that
  • Can be easily compromised by using security questions, bingo cards, and SMS
  • Are too expensive and hard to procure by using RSA or Symantec hardware tokens
  • Don't meet updated compliance requirements such as PCI-DSS 3.2.1

Due to these difficulties, many organizations stick with legacy MFA solutions, ignore securing on-prem applications, or adopt compensatory network controls with high impact on usability and performance.

Wouldn’t it be great to simply use the same security policies and modern MFA for all apps, keeping on-prem and cloud apps under the same security scope?

qHI2OlZIt9xdVxf3KaduPK1 BedPQqtxgFNH hXMibpEi4bHJamgc cH yk6 pD pf6kzKflfjwH0W0lDExo1NjX pA5QGScFUhRp1H8IdU 5cZOXsee7Hrr9BSbZXs0j7Xpg7H9

The dream: using the same security policies and MFA for on-prem and cloud apps

The Solution: OAG + Adaptive MFA for unified security across on-prem web apps

By combining OAG’s ability to secure on-prem web apps, without changes in source code, with the Okta Adaptive MFA policies, organizations can secure their on-prem web apps using unified policies and modern security. This combination provides many benefits: from the ability to implement user behavioral detection and modern factors, to use passwordless access to on-prem web apps.

What does it look like?

Because OAG and Adaptive MFA are native features of Okta, configuring the solution is a snap! To secure the OAG on-prem apps with Adaptive MFA, just use the same Sign-On policies already available in Okta for cloud apps.

l3gQ m7vBTGPnB2eYlvFaY2fewFjqfpMJp8kXpu1Hl40 HkFUfjKhQ ef9gf9OkrfkgB9W4sw6YSghuVS9DuaCqg5v6h7lATceDO 8JctFlhGohzUXcXPzE4ChcNQYi8PYveYLl7

MFA App Policy based on location over an Access Gateway on-premises application

And to control what MFA factors will be used to authenticate users, and implement features like passwordless access, you can use the rules and factor sequencing in the authentication policies. The following shows an example of policy with passwordless access.

 a00RI5KFhx3hA79Hv2bEFmHy2piG lqUuJjs8WHuc6tG qQBVJI8C8VJiB9ZknvjJ0hu3EjYycm Eywv0umNycGy4UFEWc3EnzmPlLWiL5VluYBFCvFLw7tMuE5tveCGudd l3M

Passwordless access with WebAuthn (i.e., Windows Hello, Apple Touch ID) based on location and access risk

Tip: Okta supports a very wide range of industry based factors, from SMS and OTP, through traditional and more modern tokens, to integration standards based FIDO1 & 2, WebAuthN, Smartcard/PIV. These MFA options allow for a range of access policies. The choices applied to web apps can be based on the sensitivity of the data and the service they provide.

Example of user experience:

KxQUhbeubfipAy0RltRjB CLg RCgPtcsegUaGslKjr89NCimiaUCWaAk75mfIl7UwNDBhvHxuZrnKQgLuURvMlXbPXCvmI4VImmDf3JE63pjaZkSuOfIsxAVN5Gg1JiIpGzUGXV

By combining Okta Access Gateway with Adaptive MFA policies, you get a recipe for success through

  • Accessing on-premise apps
  • Improving the user experience
  • Bringing it in line with cloud and enterprise apps 

And, by using adaptive SSO and MFA policies, you gain centralized control and flexibility where needed—all without significant changes to the target on-premises application.  

Your SSO and MFA policies will be the common policies used across the organization, providing consistency. This makes for easier administration and access reviews too. You can apply these to internal applications, supply chain, B2B collaboration, or even customer facing applications, to enhance the usability on multiple devices while also improving the security posture.

Interested in a few secret features of Okta Access Gateway? Check out our previous series, Secure On-Premises Solutions with Okta: Secret Features + a Preview.