Access Gateway introduction
Okta Access Gateway is a reverse proxy-based virtual application, designed to secure web applications that don't natively support SAML or OIDC. Access Gateway integrates with legacy applications using HTTP headers and Kerberos tokens, and offers URL-based authorization and more. You can use Access Gateway to seamlessly integrate your legacy web-based applications with Okta’s Cloud Single Sign-On (SSO) and Adaptive Multi-Factor Authentication (MFA) services. Since Access Gateway is behind the firewall, it lets external users access on-premises web-based applications without the need for traditional VPNs. When configured properly, all browser traffic flows first to the Access Gateway and then to the back-end protected application. This allows Access Gateway to monitor every request that a user accesses, perform authorization and add the appropriate headers and tokens to the request.
Access Gateway is an ideal solution for any Okta customer where:
- Your enterprise wants to unify all Identity and Access Management under an Okta platform, but requires integration with web applications that don't support federation, such as SAML and WS-Fed.
- Your vendors, customers, or partners must access your internal business web applications (for example, SharePoint, Oracle E-Business Suite, and so on) from the internet.
- You must restrict unauthorized network access to your web applications.
- Your enterprise has web applications that lack built-in authentication mechanisms.
- Your company is looking for a cost-effective replacement for your on-premises Web Access Management (WAM) solution.
Access Gateway is a high-performance appliance that's easy to install to a virtualization platform or to a cloud-based computing platform (for example, AWS). Access Gateway uses your DNS and networking to provide services.
Access Gateway focuses on web-based (HTTP/HTTPS) applications and doesn't support other protocols.
About Access Gateway deployment
An Access Gateway deployment is typically composed of :
- Okta tenant or Okta org (1): All implementations at Okta start with an Okta tenant. Your Okta tenant represents your real-world application, including users, applications, and multifactor authentication. Users access their org and are presented with a list of administered application tiles, which can be used to access their applications. Your Okta tenant manages users, groups, profile information, and other details. Your Okta tenant can be your Universal Directory, it can be linked to another universal directory, or it can be a combination of both.
- Virtualized environment (2): Access Gateway is a virtual appliance and must be hosted in an appropriate virtualized environment. You can host Access Gateway directly on any computer that supports Oracle Virtual Box v5.0 or later. You can also install it in other supported environments. See Okta Access Gateway Supported Technologies.
- Virtual appliance (3): Access Gateway is a 100% self contained virtual appliance. You can download Access Gateway from your Okta org's Admin Console by navigating to and then deploy it in a supported environment. After deployment, you can manage it using command line and GUI-based tools. In high availability scenarios, you can deploy Access Gateway as many times as needed to meet reliability and throughput requirements.
- Protected applications (4): Access Gateway protects application resources. These resources may be applications based on header, SAML, custom Web, Kerberos, or other web applications.
- Policy: Access Gateway can protect applications using fine-grained application policy. You can define user groups and protect individual parts of applications by configuring relevant policy statements.
Access Gateway administration tools
The following Access Gateway administration tools are available:
|Admin UI Console||
The Access Gateway Admin UI console is the main tool used to administer Access Gateway applications and identity. You can use the Access Gateway Admin UI console to:
|Command Line Console||
Use the Access Gateway Management console for more system-related tasks, such as: