Disable Okta IWA Web agent authentication for specific clients

By default, the IWA Web agent attempts IWA SSO for all clients that try to access Okta-protected apps. You can change the default by creating an IIS rewrite rule that automatically redirects specified clients to the Okta Sign-In page without attempting IWA SSO. Your rule uses pattern matching to detect non-IWA SSO-capable clients and then performs the configured action.

For more about this functionality, as well as other ways to improve security and usability for your end-users, see Tips and Tricks with Okta's Desktop SSO (DSSO) Agent. You may be prompted to sign in to the Okta Support site to view content.

This procedure requires Okta IWA Web agent version 1.9.1 or higher.

  1. Download the Microsoft URL Rewrite 2.0 module from http://www.iis.net/downloads/microsoft/url-rewrite.
  2. Install the rewrite module on the same server that hosts your IWA Web agent.
  3. Open Internet Information Services (IIS) Manager on the same server that hosts your IWA Web agent.
  4. Under Connections (on the left side), expand Sites > Default Web Site and select IWA.

    User-added image

  5. Double-click the URL Rewrite icon in the center pane.
  6. See Microsoft documentation for detailed instructions on creating rules for the URL Rewrite Module. You can also refer to the example URL rewrite rules that are provided in the web.config file (C:\inetpub\wwwroot\IWA\web.config).

    You can configure these rules:

  • To attempt IWA authentication for specified clients, configure this action:

action type="Rewrite" url="iwa.aspx?action=iwa"

  • To skip IWA authentication for specified clients and redirect users to the Okta Sign-In page, configure this action:

action type="Rewrite" url="iwa.aspx?action=okta"

  1. Under Actions (on the right side), click Apply.
  2. Restart Internet Information Services (IIS) Manager.