Okta’s authentication policies can be used to restrict access to any third-party apps that use Okta as the Identity Provider. For example, if your users log in to Zoom with their Okta credentials, you can restrict access to Zoom using Okta’s app sign-on policies. Access for SAML apps is evaluated on sign-in. With Okta Identity Engine, you can enforce session termination when there are changes to the user’s IP address using Okta’s Identity Threat Protection continuous monitoring feature.
Version Requirements
The ability to restrict access to applications by IP address is available in both versions of Okta. Okta Identity Engine has authentication policies, which can be applied to multiple apps. Okta Classic Engine has app sign-on policies, which must be created for each individual app.
Okta Resources
- Okta Identity Engine
- Okta Classic Engine
Approach
Okta Identity Engine
- Create a network zone in Okta for your PCG IP addresses (instructions here).
- Create an authentication policy (instructions here).
- Configure a policy rule for the policy you created in step 2 that allows Venn users to access apps if they are connecting from a PCG IP address (instructions here).
- Add one or more “IF” conditions that identify the users or group you want the policy to apply to.
- Add an “IF” condition for User’s IP that includes the network zone you created in step 1.
- Add a “THEN” condition that allows access after successful authentication.
- Add the user authentication policy to each app you want to restrict access to (instructions here).
Okta Classic Engine
- Create a network zone in Okta for your PCG IP addresses (instructions here).
- For each app you want to restrict access to, create an app sign-on policy and configure an app sign-on policy rule that allows Venn users to access it if they are connecting from a PCG IP address (instructions here).
- Select the users or group you want the policy to apply to.
- Set the location to “In Zone” and specify the network zone you created in step 1.
- Set Access to Allowed.
Warnings
- Do not add the authentication policy to key admin tools like the Okta Admin console and Apple Business Manager in order to avoid locking out administrators.
- Do not add the authentication policy to the custom Venn app that you created in the Admin Console in order to avoid blocking users from being able to log in to Venn’s Workplace app.
- If you are not using Venn’s MDM solution:
- Okta Identity Engine: Only apply this restriction to devices that users will be using Venn on (Windows and/or Mac), not iOS or Android devices. You can add a Device platform “IF” condition when creating your authentication policy.
- Okta Classic Engine: Consider whether or not users will need to access the application on their mobile devices before adding a sign-on policy. Okta Classic Engine does not support the ability to only apply sign-on policies to certain Operating Systems or device types.
- Keep in mind that there may be use cases and exceptions that you are not aware of or there may be individuals at your organization who were not fully onboarded to Venn.
- Okta does not offer the ability to test your authentication policies before applying them. Consider testing with a small group and/or a single app that will not disrupt user workflows before blocking access to core business apps for large groups of users.
- Always notify users before enabling restrictions in order to avoid disruption of business.
- Leverage the Access Lockdown email template in the Venn Rollout Toolkit to inform your users.
Tips
- If Okta is set up as your Venn IdP, consider assigning the access level to the same user group(s) that you use to assign access to Venn’s Workplace app.
- Authentication policies can be used to restrict access to any third-party SAML apps that use Okta as the Identity Provider. Consider setting up Okta SSO for key business applications so that you can improve ease of access for your users and restrict access outside of Venn’s Blue Border (instructions here: Okta Identity Engine, Okta Classic Engine).