IT Provider to US Government Protects Its Apps with Okta + F5

When we moved to Okta, access to applications went up tremendously from before. The fact that we made them much easier for end users to access drove a lot more traffic and use. Now that access happens through the browser, and with MFA, apps are both easier to access and secure.

Senior Systems Engineer

Situation

Ensuring that your workforce can access the data they need, when they need it, from any work location can be a challenge. Employees need to connect to enterprise applications from the office and remotely, and the applications they are accessing reside on-premises and in the cloud. The situation becomes even more complex for a long-time Okta customer whose employees often work from government sites and on government-provided computers with necessary restrictions on what can and can’t be downloaded and installed.

A leading provider of IT solutions to US government agencies wanted to simplify the process for employees to access internal applications. The organization has about 25,000 users, and more than half of them work offsite, which means reliable remote access is essential. Although the company had a VPN for users working outside of the network to connect to on-premises applications, the solution wasn’t effective because it didn’t connect to all apps, had high overhead, and wouldn’t work at all sites.

“We were using an SSL VPN, but it wasn’t pretty. Some of the resources employees needed access to were there, but not all. It also required lots of URL rewriting, and it didn’t work for our employees at government sites on government machines where installing a VPN client just isn’t possible,” said the project’s Senior Systems Engineer. “We wanted an easier way for employees to access the applications they need.”

Solution

Rather than replacing the VPN with another VPN solution, the project team looked into the possibility of a web-based portal for users to easily and securely access their resources. The company was already using Okta for convenient and secure access to its cloud apps including Workday, ServiceNow, and Concur. The IT team wanted users to have the same easy access to on-prem apps as well.

One of the company’s network engineers suggested tapping into F5 Networks’ capabilities as an access manager. The team was already using F5 for load balancing, so expanding on their investment was a natural next step.

By adding the BIG-IP Access Policy Manager (APM) module to their existing F5 load balancers, the company could now use F5 as the service provider (SP) for internal applications, and Okta as the identity provider (IDP) to all applications–both internal and in the cloud.

Okta + F5 together provide seamless access to apps–on-premises and in the cloud

The team started by setting up two apps–Outlook Web App (OWA) and SharePoint–in the new architecture and saw tremendous user adoption, so they quickly integrated dozens more internal apps. “After we worked through some of the initial internal apps we wanted to secure behind Okta, we just continued adding internal apps like crazy ever since,” noted the Senior Systems Engineer on the project.

Now users can easily access all applications–such as Cognos, Concur, Confluence, Enterprise Vault, Jira, ServiceNow, SharePoint, OWA, Workday, and more–through their Okta dashboard, giving them a single point of access for everything they need.

Results

Easy deployment

Rolling out Okta and F5 BIG-IP APM was easy. “Initially the app teams were concerned that they would have to re-code the applications and change their user tables, but because of Okta’s flexibility, that wasn’t the case. Okta has been very helpful in transitioning these apps over easily and quickly. Now the app teams are saying ‘this is awesome!’ It’s amazing how smooth it has been to migrate their applications to Okta,” said the project’s Senior Systems Engineer.

Improved security

In addition to easy deployment, the company also evolved its security posture with the adoption of Okta’s Adaptive Multi-Factor Authentication (AMFA). Rather than use multi-factor authentication (MFA) on a per app basis, Okta enabled them to implement a global MFA policy at sign-in. Not only did this make everything more secure, but it also made that security more usable. The Senior Systems Engineer on the project said, “We were using only RSA SecurID for MFA, but now with the addition of Okta, users have a lot more flexibility. If they forget their token, they can use SMS, Okta Verify, or Google Authenticator as the additional factor to log in.”

One stop shop for application access

Because the company was rolling out Okta AMFA, the added security layer became the catalyst to stop hiding Okta behind the scenes and start promoting the Okta dashboard as the portal for all the access employees need.

In the old model, employees would access apps through vanity URLs that they were already familiar with and had used for a long time. For example, a link such as myexpenses.company.com would redirect users to Concur, and end users were unaware that Okta played a part in authentication behind the scenes.

Once the company began rolling out Okta AMFA, users became aware of Okta as they were setting up their MFA accounts. This opened the door for IT to stop using separate vanity URLs to provide access to each app individually and to start using one URL to the Okta dashboard for employees to easily access all apps.

As a result, IT no longer needed to create and manage vanity URLs for internal and external apps or waste money on site certificates; and users could conveniently go to one place to access everything. The project team’s Senior Systems Engineer added, "When we moved to Okta, access to applications went up tremendously from before. The fact that we made them much easier for end users to access drove a lot more traffic and use. Now that access happens through the browser, and with MFA, apps are both easier to access and secure.”

Simplified IT

Now with the integration of Okta and F5, the IT provider to US government agencies enjoys the benefits of a simpler IT architecture and stronger security. Users no longer have to install a VPN client, IT no longer needs to manage multiple workflows based on where the app resides or vanity URLs, and logging in is easier and more secure for everyone involved.

“As a long-time Okta admin, I’m big into Okta. I dreamed of a world in which my team would be able to use Okta for more than just SaaS apps. Since my early days with Okta, I was trying to promote the Okta dashboard internally and get ahead of the curve. When the initiative to eliminate the SSL VPN came up, I joined forces with our F5 network engineer, and it was clear we had the right people involved at the right time to fully leverage an integrated solution with Okta and F5.”

For more information on the Okta + F5 integration, visit https://www.okta.com/partners/f5/

For more information on the Okta Integration Network, visit https://www.okta.com/oin/

To contact sales, visit https://www.okta.com/contact-sales/