Disable Okta IWA Web agent authentication for specific clients

By default, the IWA Web agent attempts IWA SSO for all clients that try to access Okta-protected apps. You can change the default by creating an IIS rewrite rule that automatically redirects specified clients to the Okta sign-in page without attempting IWA SSO. This rule uses pattern matching to detect non-IWA SSO-capable clients and then performs the configured action.

This procedure requires Okta IWA Web agent version 1.9.1 or higher.

  1. Download the Microsoft URL Rewrite 2.0 module.
  2. Install the rewrite module on the server that hosts your IWA Web agent.
  3. Open Internet Information Services (IIS) Manager on the server that hosts your IWA Web agent.
  4. In the Connections pane, expand SitesDefault Web Site and select IWA.
  5. Double-click the URL Rewrite icon in the center pane.
  6. See Create Rewrite Rules for the RL Rewrite Module for detailed instructions on creating rules. You can also refer to the example URL rewrite rules that are provided in C:\inetpub\wwwroot\IWA\web.config.

    The following are two examples of rules that you can configure.

    • To attempt IWA authentication for specified clients, configure this action:

      action type="Rewrite" url="iwa.aspx?action=iwa"

    • To skip IWA authentication for specified clients and redirect users to the Okta sign-in page, configure this action:

      action type="Rewrite" url="iwa.aspx?action=okta"

  7. Under Actions, click Apply.
  8. Restart Internet Information Services (IIS) Manager.