Okta Access Gateway is a reverse proxy based virtual application, designed to secure web applications that don't natively support SAML or OIDC. Access Gateway integrates with legacy applications using HTTP headers and Kerberos tokens, and offers URL-based authorization and more. You can use Access Gateway to seamlessly integrate your legacy web based applications with Okta’s Cloud Single Sign-On (SSO) and Adaptive Multi-Factor Authentication (MFA) services. And because Access Gateway is deployed behind the firewall, it lets external users access on-premises web-based applications without the need for traditional VPNs. Once deployed and configured, all browser traffic flows first to the Access Gateway and then to the back-end protected application. In this way Access Gateway can monitor every request a user accesses, perform authorization as well as add the appropriate headers and tokens to the request.

Access Gateway is an ideal solution for any Okta customer where:

  • Your enterprise wants to unify all Identity and Access Management under an Okta platform, but requires integration with web applications that don't support federations, such as SAML and WS-Fed.
  • Your vendors, customers, or partners must access your internal business web applications, such as SharePoint, Oracle E-Business Suite, and others, from the internet.
  • You must restrict unauthorized network access to your web applications.
  • Your enterprise has web applications that lack a native authentication mechanism.
  • Your company is looking for a cost-effective replacement for your on-premises Web Access Management (WAM) solution.

Access Gateway is easy to install whether you are installing in to your own virtualization platform or in to a cloud-based computing platform, such as AWS, Azure, Oracle Cloud Infrastructure, or others. Access Gateway is a high-performance appliance that is installed within your hosting solution of choice and leverages your DNS and networking to provide services.

Access Gateway focuses on Web (HTTP/HTTPS) based applications and doesn't support other protocols.

About Access Gateway deployment

An Access Gateway deployment is typically composed of :

  • Okta tenant or Okta org (1):
    All implementations at Okta start with an Okta tenant. Your Okta tenant represents your real world application including users and applications and multifactor authentication. Users access their org and are presented with a list of administered application tiles, which can be used to access their applications. Your Okta tenant manages users, groups, profile information and other details. Your Okta tenant can be your Universal Directory or it can be linked to another universal directory. It can be a combination of the two as well.
  • Virtualization environment (2):
    Access Gateway is a virtual appliance and must be hosted in an appropriate virtualization environment. You can host Access Gateway directly on any computer that supports Oracle Virtual Box v5.0 or later. You can also install it in other supported environments. See Okta Access Gateway Supported Technologies.
  • Virtual appliance (3):
    Access Gateway is a 100% self contained virtual appliance. You can download Access Gateway from Okta org > Settings > Downloads and deploy it in a supported environment. After deployment, you can manage it using command line and GUI based tools. In high availability scenarios, you can deploy Access Gateway as many times as needed to meet reliability and throughput requirements.
  • Protected applications (4):
    Access Gateway protects application resources. These resources may be applications based on header, SAML, custom Web, Kerberos, or other web applications.
  • Policy:
    Access Gateway can protect applications using fine grained application policy. You can define user groups and protect individual parts of applications by configuring relevant policy statements.
Access Gateway Component overview

Access Gateway administration

Access Gateway is administered using the following tools:

Admin UI Console

The Access Gateway Admin UI console is the main tool for administering Access Gateway applications and identity. You can use the Access Gateway Admin UI console to:

  • Initially configure an instance of a virtual application
  • Administer Access Gateway and Okta organization integration
  • Define, administer, monitor and manage protected applications
Command Line Console

The Access Gateway Management console is used for more system related tasks such as:

  • Configuring high availability
  • Managing underlying networking
  • Monitoring and logging
  • Enabling and disabling the support network