Deploy Access Gateway

Deployment is the process of downloading and installing the Access Gateway Virtual application. Typically Access Gateway is deployed using an architecture similar to that shown in the Access Gateway Architecture diagram. However the use of High Availability is not required. Note that Access Gateway instances must be hosted in a virtual environment.

Access Gateway High Availability architecture

Before deploying an instance of the Access Gateway OVA, review the following:

  • Prerequisites - Ensure all prerequisite requirements are met before deploying an instance of Access Gateway.
  • Virtual Environments - Select from the supported Virtual Machine Environments.
  • Deploy - Deploy Access Gateway to the selected environment. Deployment involves the download, configuration and deployment of the Access Gateway Virtual Appliance into a select Virtual Machine environment.




The FQDNs for all applications integrated with the Access Gateway must be resolvable in DNS.


Deploy to VMWare vSphere

In this section, we examine the process for deploying Access Gateway to Deploy to VMWare vSphere
Access gateway can be deployed to any of the environments described in the Supported deployment environments list.

To Import to VMWare ESXi/vSphere:

Note: Older versions (before 6.5) of VMWare ESXi, vSphere and vSphere Client do not support SHA-256OVF Files.
To Convert from SHA256 to SHA1

$ ovftool --shaAlgorithm=SHA1 /path/to/the/original/ova_file.ova /path/to/the/new/ova/file-SHA1.ova

  1. Download and install VMware vSphere ClientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. from the ESXi/vSphere server.

  2. Open VMware vSphere Client.

  3. Enter the server name or IP address and credentials in the respective fields, and click Login.


  4. In the vSphere Client window, select File > Deploy OVF Template.


  5. In the Deploy OVF Template window, click Browse.

  6. Select the Okta-Access Gateway OVA file, and click Open.


  7. Click Next.

  8. Review the template details provided, and click Next.

  9. When prompted to accept the Access Gateway License agreement. Click Accept and then click Next.

  10. Enter a name for the Access Gateway template, and click Next.


  11. On the next page, select a storage location, and click Next.


  12. Select the appropriate disk format option based on your requirements, and click Next.


  13. Click Finish.

    vSphere Client will begin the deployment process.

  14. Click Close in the confirmation dialog box when the deployment is complete.

  15. In the vSphere Client window, click Inventory.


  16. Select the Virtual Machines tab to display the VMs that are currently deployed to the server.

  17. Select the Access Gateway VM, and click Power On (symbolized by a green play icon) in the toolbar.


  18. Right-click the VM, and click Open Console to log in to the VM.


Perform required post deployment configuration tasks

All deployments of Access Gateway require a set of common tasks including:

Task Description Related Topic(s)

First Login

Reset the Access Gateway command line interface password.
Reset the virtual appliance at the command line.

First login to Command Line Console
Initialize Access Gateway Command line

Determine the IP Address assigned and configure DNS Determine Access Gateway IP address.

Configure required /etc/hosts admin entry
Configure required DNS entries.
Determine Access GatewayIP address, for non-AWS instances.
Configure Admin /etc/hosts entry
ConfigureAccess Gateway DNS
Initialize Access Gateway

Initialize the cookie domainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https). and instance hostname.

Initialize Access Gateway Console
Configure an identity provider

Configure Okta tenant as identify provider

Setup SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IdP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on an app, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated. Access.

Configure your Okta tenant as an Identity Provider

Configure SAML access to Access Gateway from your Okta tenant

Configure Okta Tenant to allow access to Access Gateway using SAML.

Configure Administration Access using SAML

Important Note


When creating a set of Access Gateway nodes, for use in a High Availability ClusterA group of computer instances (physical or virtual) within a given infrastructure used together for a single purpose., care should be taken to name the nodes appropriately.
Note also, node names must be resolvable between Access Gateway instances other before configuring High Availability.

Supported deployment environments