Configure SharePoint as IIS IWA application
During this task we will create the required Microsoft IIS IWA application in Access Gateway.
- Sign in to the Access Gateway Admin UI console.
-
Click the Applications tab.
-
Click +Add to add a new application.
- Select Microsoft IIS IWA from the left column menu, and click Create.
Note
If the Microsoft IIS, OWA, or Sharepoint IWA applications are disabled, ensure that there is a valid Kerberos service configured in settings.
- If required, expand the Essentials pane and enter:
Field Value Label The name of the application, as shown in your Okta Tenant.
For example:Microsoft IIS ApplicationPublic Domain The externally facing URL of the application.
For example: https://iis.idaasgateway.netProtected Web Resource Fully qualified URL to the Microsoft backing application. Group The group containing users who can access the application. - [Optional] Assign load balancers
Important
Okta recommends that whenever possible load balancers and Access Gateway as a load balancer be implemented.
See About Access Gateway load balancing.- Expand the Protected Web Resources tab.
- In Protected Web Resource tab enable load balancing.
The Protected Web Resource tab will then expand to include a table of hostnames and weights representing the target load balancing instances, initially empty. - Select a URL scheme. All added protected web resources will inherit this scheme. HTTP and HTTPS schemes are supported.
- [Optional] Enable and specify Host Header value.
- Repeat as required:
- Click Add protected web resource.
A new empty row will be added to the table. - Enter a fully qualified hostname:port combination.
For example https://backendserver1.atko.com:7001. - Enter a weight between 1 and 100. Enter 0 to specify a disabled host.
Weights represent the percentage of requests that will be routed to this host.
For example, two hosts of weights 2:1 would result in requests being routed ~66% to the host weighted 2 and ~33% to the host weighted 1. - Click Okay to add the new host, or Cancel to cancel.
Click edit () to modify an existing host.
Click delete() to delete an existing host.
- Click Add protected web resource.
- Expand the Certificates tab.
Note
By default a wildcard self signed certificate is created and assigned to the application when the application is initially created.
- Optional. Click Generate self-signed certificate
A self-signed certificate is created and automatically assigned to the application. - Optional. Select an existing certificate from the list of provided certificates.
Use the Search field to narrow the set of certificates by common name.
Use the page forward (>)and backward(<) arrows to navigate through the list of available certificates. - Click Next
- In the Application pane, enter:
Field Value Kerberos Realm Enter the name of the associated realm - Click Next.
- In the Attributes pane:
Click Add attribute to add an attribute what corresponds to sAMAccountName.
- Verify he following:
Field Value Data Source
IDP
Field
IDP attribute that correlates with the users sAMAccountName
Type
Header
name iwa_username - Click Save.
- Click Done.

Important
While optional, Okta recommends that all applications include certificates.
See About Access Gateway certificate use for general information about certificate.
See Certificate management tasks for a general task flow for obtaining and assigning certificates.
The application is added and the Application list page is displayed.