Enforcing Device Trust For Okta Applications

Introduction

In this guide you’ll learn how to enable Banyan Device Trust capabilities for SaaS Applications in Okta. Banyan supports a phased roll out that provides high visibility and a great end-user experience.

Use Case

Leverage this cookbook to accomplish the following:

  • Use Banyan to secure SaaS Applications in Okta in a phased manner with low user impact
  • Obtain visibility into which users/devices will be blocked when you enforce Banyan Policies
  • Set up multiple policies for groups of SaaS applications

Steps

1. Enable Unregistered Devices

Allow unregistered devices will allow visibility into how your Banyan app rollout is progressing without blocking users and devices immediately. You will be able to see which users are leveraging a Banyan registered devices and which users are using devices without Banyan on them.

1) Add the “0.0.0.0/0” CIDR range to account for all devices.

2) Select Update

2. Create a SaaS Application Policy in Banyan

You will create a SaaS Application policies in Banyan for your Okta Applications. To have different policies for groups of users or applications, see [Adding Multiple Policies]

1) Create a user Role that includes users accessing SaaS applications.

2) Create a Web Policy that includes your role and trust score requirements

3. Create a SaaS Application in Banyan

You will create an IDP Routed SaaS Application in Banyan that will link to an Identity Provider in Okta. The policy created in step 2 will be attached and the enforcement mode will be set to “Permissive” so users are not blocked until they have had time to register with the Banyan app.

1) Follow this step to create a SaaS Application in Banyan

2) Ensure the Enforcement Mode for the policy is set to Permissive

4. Route Specific Okta Applications to Banyan for Device Trust

This step will only protect SP-initiated flows for certain applications and is only recommended for testing purposes before routing all Okta application traffic.

Begin by routing a few applications to Banyan to start your roll out. This will give you a good sense of how your policies are performing before you proceed to Step 5.

1) Add Banyan as an Identity Provider in Okta

2) Route Specific Applications to Banyan

3) Monitor Unregistered Devices

The unregistered device list view will populate with users who are accessing Okta applications from devices that do not have the Banyan certificate.

As more users download and register with the Banyan app, this list will decrease and you’ll be able to gauge who may be impacted when a policy goes into enforcement.

5. Route All Okta Applications to Banyan for Device Trust

Once you are comfortable with your policies, you can now route all applications to Banyan.

The Banyan SaaS Application policy is still in Permissive mode and unregistered devices are still allowed. Anyone that does not meet policy requirements will still be able to access their Okta applications.

1) Follow the steps to protecting all Okta applications and the Okta catalog

2) Continue monitoring Unregistered Devices

6. Enforce Device Trust

Once you are confident that most of your users have registered with the Banyan app and are meeting your policy requirements, it is now time to move the policy into enforcement. This will ensure only registered, trusted devices can access Okta SaaS Applications.

1) Set Policy from Step 2 to “Enforcing”

2) Disable Unregistered Devices

  • Remove “0.0.0.0/0” CIDR Range

(Optional) Multiple Security Policies for Applications

There may be scenarios where you want to have different policies for different groups of applications. This is supported by creating multiple Identity Providers in Okta tied to multiple SaaS Applications in Banyan.

This example shows how to create multiple policies for High Security vs Medium Security applications

1) Create two SaaS Applications in Banyan with different policies

2) Create a routing rule for Medium Security applications

3) Create a routing rule for High Security applications

In order to protect workflows where a user accesses an application from the Okta catalog, you will need to treat the Okta Catalog as a High Security application.

Summary

With these steps, we have provided a way securely roll out Banyan device policies for Okta SaaS applications with low user impact.

Solution

We addressed the use cases above in the following ways:

1) Provided a way for a phased rollout of Banyan device policies onto Okta SaaS applications while also allowing a fall back for devices that have not been registered yet or do not meet trust score Requirements

2) Provided visibility into the devices accessing SaaS applications on unregistered devices, further helping you gauge your impact of moving a policy into enforcement.

3) Provided a way to set different policies for groups of applications or users.



Last modified: Oct 19, 2021