Add a generic header application

The purpose of this tutorial is to walk through the process of setting up a header application through the Access Gateway Admin Console.

Before you begin

  • Access Gateway is installed and configured for use.
    See Manage Access Gateway deployment.
  • Access Gateway has been configured to use your Okta tenant as IDP.
    See Configure your Okta tenant as Identity Provider for more information about configuring your Okta tenant as an IDP.
  • You have administrator rights on your Okta tenant and can assign applications to users, and create groups.
  • An external header based application which requires protection.
  • Appropriate DNS entries for both the legacy application and the exposed new URL exist.


Create the application in Access Gateway

  1. Navigate to your Access Gateway Instance.

    Note: Access Gateway creates a default self-signed certificate. For non-production deployments, this will be appropriate. Proceed past any security exceptions raised by your browser. For production deployments, a valid certificate can be installed and these exceptions will not be needed.

  2. In the Access Gateway Admin UI, sign in as an administrator.

  3. Click the Applications tab.

    Select applications tab

  4. Click +Add to add a new application.

    Click Add.

  5. Select the Header Based option from the left column menu, and click Create.

    Select header based and click create.

    The New Protected Application wizard will start and display the Essentials pane for the application being added.

  6. In the Essentials pane specify the following:

    Field Value
    Label A name for the application.
    Public Domain A fully qualified host name such as gw-header-app.<your domain>
    Protected Web Resource The URL of the protected resources.


    Specifying a protected web resource of header.server.spgw tells Access Gateway to execute the header test suite. This is a special protected web resource.

    Group Enter the group containing the users who should have access to the application.
    Description [optional] An appropriate description for your application.
  7. Review the Essentials page and then click Next.
    The Attributes pane appears.
  8. The Attributes pane provides a list of attributes that will be passed into the application.
    This page also provides the ability to add, edit, or remove any attribute. For more information on the attribute options, see Application attributes.
    Add any required attributes, and click Next.

    The Policies pane appears.

  9. Leave all policies unchanged and click Done.
    For more information on Application policies see About application policy.

  10. Click Next.

    Note:The Attributes page provides a list of attributes that will be passed into the application. This page also provides the ability to add, edit, or remove any attribute.

Define Okta tenant groups

Within your Okta Tenant you will need to define one or more groups representing the sections of your application being protected. See the policy guide for information on defining fine grained application policy. In addition you may define additional attribute field values required by your application but outside those provided by default.

To define groups within your Okta tenant:

  1. Login to your Okta tenant as administrator.
  2. Select Directory > Groups.
  3. Using the Add Group button, create one or more groups.
  4. Click the name of the newly added group and use the various menu items to add, and otherwise manage group membership.


    User and group management is outside the scope of this document. See Users, Groups, and Profiles for details of user and group management.

Associate Access Gateway app with protected resource

With a tested Access Gateway Application in place, the next step is that application with a protected resource.
In this section we will:

  • Associate a protected application with an external URL.
  • Associate one or more Okta tenant groups with an application.
  • Define one or more policies to protect portions of an application.
  1. Return to the Access Gateway admin console.

  2. Select the Application table.



    You can move directly to an application by clicking its name in the Topology tab.
    Topology tab to applications.

  3. In the row containing the header application, click the pencil icon. Modify attribute(pencil) icon.

  4. If required, expand the Essentials pane.

  5. Replace the following values:

    Field Value Example
    Public Domain External DNS entry
    Protected Resource Internal protected resource
  6. In the Groups field, add groups associated with this application.

  7. Expand Advanced.

  8. Set advanced fields as required.

  9. Click Next.

[Optional] Add Attributes

To add an attribute click the plus icon. Add attribute(plus) icon.
To delete an attribute, select its row and click the delete icon Delete attribute(trash can) icon.
To modify an existing attribute, select its row and click the pencil icon. Modify attribute(pencil) icon.

For detailed information on the attribute options, see Application Attributes.

  1. Click the (+) icon
  2. From the Data Source drop down select an appropriate data source.
  3. From the Field drop down select a field name.
  4. From the Type drop down select the appropriate target type, either Header or Cookie.
  5. In the Name field enter the name for the header or cookie value expected by the legacy application.
    For example, to map the IDP field username to the header field login, we would create an attribute resembling:
    Example mapping of idP field login to to header field username.
  6. Click Okay when the attribute is complete.

[Optional]Add policy



By default the root, represented by '/', is protected by Access Gateway. However all users who can access the root can access any sub set of resources beneath the root.
Policy can be used to protect subsets of the parent root URL

An overview of user policy can be found in About application policy.
For details and examples of policy see Manage application policy

To add a policy statement which protects an specific portion of an application,

  1. In the Policies tab click the (+) icon.
  2. Select one of:
    Protected - Create a policy rule which protects a specific URI
    Unprotected - Create a policy rule which marks a URL unprotected
    Adaptive - Create an adaptive policy rule
    Protected Rule - Create a Protected policy rule.
  3. Enter an appropriate Name for the rule.
  4. Enter the Resource Path to the URI being protected. 
    For example, a protected rule might protect the /secure URI.
  5. Depending on the rule type, enter additional details such as Resource Matching Rule.

    For example, to create a rule which allows only access to users with a valid username value to access the /secure/ uri,
    we could create a Protected Rule with Resource Matching Rule regular expression username=* as shown.
    Example protected rule protecting the /secured/ resource.

  6. Repeat as required. Click Done when complete.


The following steps assign the application to a test account and then execute the application to verify basic functionality.

Assign the application

  1. Login to your Okta tenant as administrator.

  2. Select Application > Applications.

  3. Click the name of the newly added header application.

  4. Select the Assignments tab.

  5. Select .Assign > Assign To People.

  6. Select an appropriate user and click Assign.



    Testing is typically initially done using the same user who is associated with administering Access Gateway.

  7. Click Done.

Execute the Application

  1. Return to the Access Gateway admin console.

  2. On the row representing the newly added header app, select Goto application > IDP Initiated.


  3. Verify the results page displays all expected attribute values.
  4. Close the results page.

See also