Configure SSL for the Okta IWA Web agent
To ensure a secure connection between your Okta IWA Web agent agent and cloud apps, configure Secure Socket Layer (SSL). This is important for security and a hard requirement for authentication on some Windows 10 Universal Applications such as OneNote and Mail. See Cannot sign into an Office 2016 application on Windows 10.
Note: If your IWA Web agent is installed on a server running Windows 2008 R2, you may need to enable TLS 1.2 on Windows Server 2008 R2.
Acquire an SSL certificate
Okta recommends acquiring an SSL certificate from a third-party certificate authority such as GoDaddy, Verisign, or Digicert. If you are unfamiliar with creating a certificate signing request and installing an SSL certificate, refer to the documentation provided by your selected Certificate Authority. The following guides from sslstore are useful references:
CSR Generation for SSL Certificates
How to Install an SSL/TLS Certificate In Microsoft IIS 7
Certificate creation considerations:
- Okta recommends acquiring a certificate that has one or more Subject Alternate Names (SANs). If the certificate does not contain a SAN, Firefox and Chrome users will encounter an error when their browser attempts to connect to the Desktop SSO web site.
- The IWA Redirect URL must match what is entered in the CN or SAN. For example:
- If you plan to use the server’s host name as the IWA Redirect URL (for example, https://IWAserver/IWA), the CN or SAN values would be “IWAServer”.
- If you plan to use the server’s FQDN as the IWA Redirect URL (e.g. https://IWAserver.mycompany.com/IWA), the CN or SAN values would be “IWAserver.mycompany.com”.
- If your certificate’s CN or SAN value is IWAserver, an attempt to connect to https://IWAserver.mycompany.com will fail because the URL will not match what is specified in the certificate.
- If you plan on installing Desktop SSO on multiple servers to provide fail over, we strongly recommend acquiring a wild card certificate (for example: *.mycompany.com) OR a certificate that contains SAN entries for each server’s URL (for example: https://IWA1.mycompany.com, https://IWA2.mycompany.com, etc). This will allow you to use the same certificate on each server.
- In the Admin Console, go to Security > Delegated Authentication.
- Scroll down to On-Prem Desktop SSO and click Edit.
- In the IWA Agents area, click Edit .
- In the IWA redirect URL field, change the URL from http to https.
The IWA Redirect URL must use the same naming convention used in the Common Name field. That is, if the FQDN or host name was used in the Common Name field, it must also be used in the IWA Redirect URL.
- Click Save.