Securing applications is the core of Access Gateway.
Applications are deployed using an architecture similar to that shown in the Access Gateway Application Architecture diagram.
In general, Access Gateway:
- Acts as a reverse-proxy
- Integrates with on-premises application using legacy patterns.
- Has individual SAML contracts and authorization policies for each on-premises application.
- Applications have their own SAML encryption, assertion attributes, session timeouts, MFA policies, and URL authorization.
Each application protected by Access Gateway is configured individually according to its specific needs and requirements.
When creating an application configuration in Access Gateway, there are various application templates available to speed the configuration process. Each application template is geared towards a specific set of application requirements. The Access Gateway Supported Applications page includes a list of all supported application types. The Supported Technologies page contains a list of all currently supported application versions and similar information.
There are many sample applications, in this guide we will integrate an example header application.
The header app helps you familiarize yourself with how Access Gateway works as well as providing testing endpoint in case you need to troubleshoot application integration.
- Access Gateway is installed and configured for use.
See Manage Access Gateway deployment.
- Access Gateway has been configured to use your Okta tenant as IDP.
See Configure your Okta tenant as Identity Provider for more information about configuring your Okta tenant as an IDP.
- You have administrator rights on your Okta tenant and can assign applications to users, and create groups.
Appropriate DNS entries exist for the application.
A best practice for testing a header application is to add header.<yourdomain> to the /etc/hosts for testing purposes. On Windows this file can be found in c:\windows\system32\drivers\etc\hosts.
This entry should point to the same IP address as uses for Access Gateway. For example:
. . .
. . .
Open the Access Gateway Admin UI console.
Access Gateway creates a default self-signed certificate. For non-production deployments, this will be appropriate. Proceed past any security exceptions raised by your browser. For production deployments, a valid certificate can be installed and these exceptions will not be needed.
- Click the Applications tab
- Click + Add to add a new application.
Select the Header Based option from the left column menu, and click Create.
The New Protected Application wizard will start and display the Essentials pane for the application being added.
In the Essentials pane specify the following:
Field Value Label A name for the application.
For example: Example Header Application
Public Domain A fully qualified host name such as header.<your domain>.
For testing, add header.<yourdomain> to /etc/hosts.
Protected Web Resource The URL of the protected resources.
For testing enter http://header.service.spgw.
Specifying a protected web resource of header.server.spgw tells Access Gateway to execute the header test suite when executed.
Group Enter the group containing the users who should have access to the application.
For testing this is typically the Everyone group.
Description [optional] An appropriate description for your application.
Review the Settings tab then click Done.
For more information on the application setting options, see Application Settings.
Return to the Access Gateway Admin UI console.
Select the new application and click the pencil icon.
In the Attributes section, click the +.
Scroll down to the Add new Session Attribute window.
In the Name field, enter manager, and select the manager attribute type in the Value field.
In the Value menu, type in the name of the attribute you want to add, and then click the new attribute in the dropdown menu.
- Click Done.
- Confirm that the Header App is displayed as Active in the Protected Applications list.
- In the row containing the application click the Goto > SP Initiated.
- In the application page, review and verify that the Header App sent to Okta matches your profile information.
For a complete list of all applications and their associated integrations details see Integrating Applications with Access Gateway