Configure SharePoint as IIS IWA application

1. Sign in to the Access Gateway Admin UI console.

2. Click the Applications tab.

3. Click +Add to add a new application.

4. Select Microsoft IIS IWA from the left column menu, and click Create.
   

   If the Microsoft IIS, OWA, or Sharepoint IWA applications are disabled, ensure that there is a valid Kerberos service configured in settings.

5. If required, expand the Essentials pane and enter:
   

   Field	Value
   Label	The name of the application, as shown in your Okta Tenant. For example:Microsoft IIS Application
   Public Domain	The externally facing URL of the application. For example: https://iis.idaasgateway.net
   Protected Web Resource	Fully qualified URL to the Microsoft backing application.
   Group	The group containing users who can access the application.

6. [Optional] Assign load balancers

   Okta recommends that whenever possible load balancers and Access Gateway as a load balancer be implemented.
   See About Access Gateway load balancing.

   1. Expand the Protected Web Resource tab.
   2. Enable Load Balancing By Access Gateway.

      The Protected Web Resource tab expands to include a table of hostnames and weights that represent the target load balancing instances. This table is initially empty.

   3. Select a URL scheme. All added protected web resources will inherit this scheme. HTTP and HTTPS schemes are supported.
   4. Optional. Enable and specify Host Header value.
   5. Repeat as required:
      1. Click Add protected web resource. An empty row is added to the table.
      2. Enter a fully qualified hostname:port combination. For example, https://backendserver1.atko.com:7001.
      3. Enter a weight between 1 and 100. Enter 0 to specify a disabled host.

         Weights represent the percentage of requests that will be routed to this host.

         For example, two hosts of weights 2:1 would result in requests being routed ~66% to the host weighted 2 and ~33% to the host weighted 1.

      4. Click Okay to add the new host.
   6. For existing hosts in the table, you can:
      • Click edit () to modify an existing host.
      • Click delete() to delete an existing host.

While optional, Okta recommends that all applications include certificates.

See About Access Gateway certificate use for general information about certificate, or Certificate management tasks for a general task flow for obtaining and assigning certificates.

7. Expand the Certificates tab.
   

   By default, a wildcard self-signed certificate is created and assigned to the application when the application is initially created.

8. Optional. Click Generate self-signed certificate. A self-signed certificate is created and automatically assigned to the application.
   
   
9. Optional. Select an existing certificate from the list of provided certificates.

   Use the Search field to narrow the set of certificates by common name. Use the page forward (>) and backward (<) arrows to navigate through the list of available certificates.

   
10. Click Next
11. In the Application pane, enter:
    

    Field	Value
    Kerberos Realm	Enter the name of the associated realm

12. Click Next.
13. In the Attributes pane:

    1. Click Add attribute to add an attribute what corresponds to sAMAccountName.

    2. Verify he following:
       

       Field	Value
       Data Source	IDP
       Field	IDP attribute that correlates with the users sAMAccountName
       Type	Header
       name	iwa_username

    3. Click Save.
       
14. Click Done.

The application is added and the Application list page is displayed.

Next steps

Configure SharePoint to work with a reverse proxy