Okta Access Gateway is a reverse proxy solution that is designed to secure web applications that do not natively support SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IdP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on an app, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated. or OIDCOpenID Connect (OIDC) is an authentication layer on top of OAuth 2.0, an authorization framework. The standard is controlled by the OpenID Foundation.. Access Gatewayvintegrates with legacy applications through the use of HTTP Headers, and KerberosKerberos is a computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Tokens, and offers URL-based authorization and more. Access Gateway allows you to seamlessly integrate your legacy web based applications with Okta’s Cloud SSOAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones. Capabilities.

Access Gateway is an ideal solution for any Okta customer where:

  • Your enterprise wants to unify all IAM under an Okta platform, but requires integration with web applications that do not support federation (SAML, WS-Fed).

  • Your vendors, customers, or partners must access your internal business web applications (such as SharePoint, Oracle E-Business Suite, and others) from the internet.

  • You must restrict unauthorized network access to your web applications.

  • Your enterprise has web applications that lack a native authentication mechanism.

  • Your company is looking for a cost-effective replacement for your on-premise Web Access Management (WAM) solution.

Installing the Access Gateway on your own virtualization platform, or on a cloud-based computing platform (such AWS, Google, Azure and others), is a simple process. Access Gateway is a high-performance appliance that is installed within your hosting solution of choice and leverages your DNS and networking to provide services.



Access Gateway focuses on Web (HTTP/HTTPS) based applications and does not support other protocols.

An Access Gateway deployment is typically composed of :

Access Gateway Component overview

About Okta Access Gateway

An Access Gateway deployment is typically composed of :

  • Okta Tenant, or Okta Org (1) - All implementations at Okta start with an Okta Tenant. Your Okta Tenant represents your real world application including users and applications, and multi-factor authentication. Users access their org and are presented with a list of administered application tiles which can be to access their applications. Your Okta tenant manages users, groups, profile information and other details.  Your Okta tenant can be your Universal Directory, can be linked to another universal directory or a combination of both.
  • Virtualization Environment (2) - The Okta Access Gateway is a virtual appliance and must be hosted in an appropriate virtualization environment. Access Gateway can be hosted directly on any computer which support Oracle Virtual Box v5.0 or later. In additional the Access Gateway Virtual Appliance can be installed in other supported environments. See Okta Access Gateway Supported Technologies for details.
  • Virtual Appliance(3) - Access Gateway is a 100% self contained virtual application. The appliance is downloaded from your Otka org using the Settings > Downloads page and then can be deployed in any supported environment. Once deployed Access Gateway can be easily managed using command line and GUI based tools. In High Availability scenarios Access Gateway is deployed as many times as required to meet reliability and throughput requirements.
  • Protected Applications (4) - The core purpose of Access Gateway is to protect application resources. These resources may be Header based applications, SAML applications, custom Web applications, Kerberos based applications, or others.
  • Policy - Access Gateway can protect applications using fine grained application policy. Groups of users can be defined and individual parts of applications protected using various policy statements.
Access Gateway Component overview


Access Gateway Administration

Access Gateway is administered using the following tools:

Admin UI Console The AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. UI Console is the main tool for administering Access Gateway applications and identity. The Access Gateway Admin UI Console can be used to: Initially configure an instance of a virtual application; Administer Access Gateway and Okta Organization integration; Define, administer, monitor and manage protected applications; And more.
Command Line Console The command line console is used for more system related tasks such as: Configuring High Availability; Managing Underlying networking; Monitoring and logging; Enabling and disabling the support network; And more.