Configure SSL for the Okta IWA Web agent

To ensure a secure connection between your Okta IWA Web agent and cloud apps, configure the Secure Socket Layer (SSL). This is important for security and a hard requirement for authentication on some Windows 10 Universal Applications such as OneNote and Mail. See Cannot sign into an Office 2016 application on Windows 10.

If your IWA Web agent is installed on a server running Windows 2008 R2, you may need to enable TLS 1.2 on Windows Server 2008 R2.

Acquire an SSL certificate

Okta recommends acquiring an SSL certificate from a third-party Certificate Authority such as GoDaddy, Verisign, or Digicert. If you're unfamiliar with creating a certificate signing request and installing an SSL certificate, refer to the documentation provided by your selected Certificate Authority. The following guides from sslstore are useful references:

CSR Generation for SSL Certificates

How to Install an SSL/TLS Certificate In Microsoft IIS 7

Certificate creation considerations:

  • Okta recommends acquiring a certificate that has one or more Subject Alternate Names (SANs). If the certificate doesn't contain a SAN, Firefox and Chrome users encounter an error when their browser attempts to connect to the Desktop SSO web site.
  • The IWA Redirect URL must match what's entered in the CN or SAN. For example:
    • If you plan to use the server's host name as the IWA Redirect URL (for example, https://IWAserver/IWA), the CN or SAN values would be IWAServer.
    • If you plan to use the server's FQDN as the IWA redirect URL (for example, https://IWAserver.mycompany.com/IWA), the CN or SAN values would be IWAserver.mycompany.com.
    • If your certificate's CN or SAN value is IWAserver, an attempt to connect to https://IWAserver.mycompany.com fails because the URL doesn't match what's specified in the certificate.
  • If you plan on installing Desktop SSO on multiple servers to provide fail-over, Okta strongly recommends acquiring a wildcard certificate (for example: *.mycompany.com) or a certificate that contains SAN entries for each server's URL (for example: https://IWA1.mycompany.com, https://IWA2.mycompany.com). This allows you to use the same certificate on each server.

Enable SSL

  1. In the Admin Console, go to SecurityDelegated Authentication.
  2. Scroll down to On-Prem Desktop SSO and click Edit.
  3. In the IWA Agents area, click Edit .
  4. In the IWA redirect URL field, change the URL from http to https.
    You must use same naming convention for the IWA redirect URL that you use in the Common Name field. That is, if you use the FQDN or host name in the Common Name field, you must also used it the IWA redirect URL.
  5. Click Save.

Next steps

Configure routing rules for the Okta IWA Web agent