Define a network zone for IWA
When evaluating Integrated Windows Authentication (IWA) sign-ins, Okta checks that the sign in is from the configured zones. When an IWA agent is configured, the IP address of the client is added to the LegacyIPZone. The LegacyIPZone is the only zone configured by default. You can define up to 20 dynamic zones s in IWA Network Zones.
LegacyIPZones can't be deleted.
Before you begin
Ensure that IWA Web agent is installed and configured. See Install the Okta IWA Web agent.
In the Admin Console, go to Security > Identity Providers > Routing Rules.
- Click Add Routing Rule.
- Complete these fields:
- Rule Name: Enter a descriptive name for the rule.
- User's IP is: Select In zone to apply the rule to a specific zone.
- In the zones field, type "l" (lower-case "L") and then select LegacyIpZone.
- User's device platform is: Select Any device to apply the rule to users with any device type, or to apply the rule to users with specific devices, select Any of these devices and select specific devices.
- User is accessing: Select Any application to apply the rule when a user accesses any application, or to apply the rule when a user accesses specific applications, select Any of the following applications and enter an application name.
- Use this identity provider: Select Okta.
- In the Admin Console, go to Security > Networks.
- Click Add Zone and select Add IP Zone.
- Enter the name for the network zone that you created in the Configure a LegacyIPZone routing rule procedure.
- Enter the Gateway IP addresses and Proxy IP addresses. Separate IPs and IP ranges with a newline or comma. Single IPs, IP ranges or CIDR notation can be added.
- Click Save.
Whenever you edit a network zone, you need to wait approximately 60 seconds for the change to propagate across all servers and take effect.