Trusted proxies

Learn why trusted proxies affect the accuracy of Okta security features, and how to decide between a trusted proxy and the IP exempt zone.

A trusted proxy is an intermediate server that provides information about a requesting client's IP address. When you identify an intermediate server as a trusted proxy in an IP zone, Okta looks past that server's IP address in the IP chain and evaluates the request using the client IP address instead. If you don't identify a proxy as trusted, Okta evaluates the proxy's IP address as if it were the client IP address. See IP zones.

Why trusted proxies matter

Several Okta security features depend on the client IP address to work as intended, and produce less accurate results when they evaluate a proxy IP address instead.

Okta ThreatInsight
Evaluates the client IP address to identify sign-in attempts from potentially malicious IP addresses. If trusted proxies aren't configured correctly, Okta ThreatInsight evaluates the proxy IP address instead of the client IP address, which reduces its ability to detect threats. See About Okta ThreatInsight.
Risk engine
Uses the client IP address, along with device and behavioral data, to calculate a risk score for each sign-in attempt. An inaccurate client IP address can produce an inaccurate risk score. See Risk scoring.
Behavior Detection
Compares the client IP address for a sign-in attempt against a user's history of successful sign-in attempts to detect new or anomalous IP address patterns. If Okta evaluates a proxy IP address instead of the client IP address, Behavior Detection can miss anomalous activity or flag legitimate activity as anomalous. See About Behavior Detection.

Choose between a trusted proxy and an exempt zone

A trusted proxy and the DefaultExemptIpZone both affect how Okta evaluates IP addresses, but they solve different problems. Use the following guide to decide which one applies to your situation.

Use a trusted proxy

Use a trusted proxy if an intermediate server, such as a load balancer, VPN concentrator, or reverse proxy, sits between your users and Okta, and you want Okta to evaluate the client IP address rather than the proxy's IP address. Identifying a proxy as trusted improves the accuracy of Okta ThreatInsight, the risk engine, and Behavior Detection.

Use the exempt zone
Use the exempt zone if you want to allow traffic from specific gateway IPs regardless of Okta ThreatInsight configurations, blocked network zones, or IP change events within Identity Threat Protection. The exempt zone is a bypass. It doesn't change which IP address Okta identifies as the client IP address.

You can't add trusted proxy IPs to the DefaultExemptIpZone. See IP exempt zone.