Workforce heterogeneous application reference architecture

Many workforce customers have a number of applications running inside the corporate network for their employees. These applications have been deployed over many years or even decades and can consist of home developed applications using various languages/platforms and also third party Commercial Off The Shelf (COTS) solutions. There may even be a current Web Access Management solution securing some or all of these applications. Applications may be capable of looking for HTTP headers, Windows Kerberos tokens, or SAML / oAuth tokens to identify the user. Applications may be deployed into HA clusters inside of multiple Datacenters using active/active active/passive(standby) or active/DR availability models.
Users may be stored in the corporate Active Directory, or in a separate LDAP Directory or database, or both. Users may be accessing the applications from a network located physically on the corporate network, virtually on the corporate network via a VPN connection, or over the internet.


To deploy Access Gateway to secure applications in an environment described above, it is best to begin deployment of a base architecture and then add specific features as needed. This methodology will allow an organization to begin moving forward in an agile fashion and not become overly bogged down in requirements analysis.

Key steps in determining an overall architecture include:

  • Identify which applications should be accessible through Access Gateway from the internet and which should require the user have access to the internal network. Typically this starts as a subset of applications, and expands over time.
  • Identify how applications are to be integrated with Okta and Access Gateway. Typical integrations include:
  • Identify how many users will access the applications and how often. This will help determine how many instances of Access Gateway are required, what number of load balancers are necessary and generally how the architecture components will be distributed.

Access Gateway workforce architectures

Access Gateway workforce installations can be deployed in any number of possible combinations. Common architecture are:

Single Access Gateway server architecture The simplest of all architectures, the single Access Gateway server architecture is typical in development and test scenarios.
Internal-only single data center architecture The internal only single data center cluster expands on the single server architecture and introduces an Access Gateway cluster to extend capacity and provide fault tolerance, but for internal use only applications.
External only single data center architecture The external single data center cluster expands on the single server architecture and introduces an Access Gateway cluster to extend capacity and provide fault tolerance.
Multiple data center architecture The multi-data center Access Gateway architecture expands on both the single internal and external architecture but in a multiple data center environment with fault tolerance a both the Access Gateway and environment levels.
Comprehensive architecture A comprehensive architecture showing all applications, but only as a single data center.

Architecture functional area breakdown

Architectures are broken down into the following functional areas:

External internet The external internet represents clients that access applications, as well as including your Okta Org.
DMZ The DMZ houses an Access Gateway cluster, and associated components, to allow access to applications from the external internet.
Internal The internal network houses the applications being protected by Access Gateway as well as other components required to make these applications widely available.

Related topics

Common Access Gateway flows

DNS use

High availability

About Access Gateway prerequisites