The VPN Notification feature alerts end usersIn Okta literature, we generally refer to "end users" as the people who have their own Okta home page (My Applications), using chiclets to authenticate into all of their apps. End users do not have any administrative control. When we refer to "users" we are generally referring to the individual(s) who have administrative control. when a VPN connection is required to connect to an appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in.. These notifications are customizable and are disabled by default.
Note: The VPN notification does not appear if the end user has selected the Auto-launch option in the app chiclet General settings. Screenshot
To access the VPN Notification feature, do the following:
- From the Administrative Dashboard, click the Applications drop-down menu.
- From the Applications page, scroll down to the VPN-required app, and click the appropriate app to view the app page.
- Go to the General tab.
- Scroll down to the VPN Notification section.
- Click Edit.
From here, you can specify your VPN accessibility requirements, create a custom message, and optionally include a URL that can point to detailed VPN instructions.
VPN Required NotificationThe drop-down menu allows you to specify when to display a VPN notification for VPN-required apps.
- Disabled – The default state. Retain this setting for apps that do not require a VPN connection.
- Inside Any Zones – Displays VPN connection information only when a browser's clientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. IP matches the configured Zones. The notification appears before the end-user can access the app.
- Outside Any Zones – Displays VPN connection information only when the browser's client IP does not match the configured Zones. The notification appears before the end-user can access the app.
- Anywhere – Displays VPN connection information regardless of the browser's client IP. The notification appears before the end-user can access the app.
MessageUse this field to write a custom message to your end users such as Have you signed into the VPN?.
Optional Help URLUse this optional field to provide a Help page URL to assist your end users in signing into your company VPN. If you are using Juniper IVE as the VPN, this is where you can insert an embed link for the Juniper IVE SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IDP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on a chiclet, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated. app.
Using an Outsize Any Zones Option with Split-Tunneling VPNsSplit-tunnel VPNs are configured to direct traffic through the VPN for specific app URLs only. Browsing to a public site like Okta.com would not go through the VPN. This means that the client IP, as seen by Okta, does not change when the user has started the VPN.
To correctly use this option, make sure the split-tunnel VPN is configured to direct traffic to Okta.com through the VPN. To do this, add some specific Okta IP addresses (see Configuring Firewall Whitelisting) to the split-tunnel VPNs configuration.