Install and configure the Okta IWA Web App for Desktop SSO

Okta IWA is a lightweight Internet Information Services (IIS) web appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. that enables Desktop SSOAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones. on the Okta service. Desktop SSO allows usersIn Okta literature, we generally refer to "users" as the people who serve as Okta administrators. When we refer to "end users" we are generally referring to the people who the administrators serve. That is, those who use Okta chiclets to access their apps, but have no administrative control. to be automatically authenticated by Okta, and any apps accessed through Okta, whenever they sign into your Windows network. Okta's IWA Web App uses Microsoft's IWA and ASP.NET to authenticate users from specified gateway IPs. 

Okta strongly recommends that you transition to using Secure Sockets Layer (SSL) with the on-premises agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations.. This is important to provide the utmost security, but it is also a hard requirement for some applications to successfully authenticate (in particular, Windows 10 Universal Applications such as OneNote, Mail).

Note: The latest builds of Office 2016 and Windows 10 are incorporating their Web Account Manager (WAM) for sign-in workflows (see this Microsoft article). WAM requires https - it blocks non-https traffic during auth workflows. Refer to Configure SSL for details about how to configure IWA for this use case.

Troubleshooting

If you are experiencing issues with Desktop SSO/IWA not working, check the following:

  • Ensure the host name of the server is resolvable from within the client network.
  • IWA must be turned on in both the IIS authentication configuration and in the client.

Note: The latest builds of Office 2016 and Windows 10 are incorporating their Web Account Manager (WAM) for sign-in workflows (see this Microsoft article). WAM requires https - it blocks non-https traffic during auth workflows. Refer to Configure SSL for details about how to configure IWA for this use case.