Use Identity Federation in Okta for Device Policies on SaaS Apps

Use federation capabilities in Okta to enforce Banyan Policies on your SaaS applications

Overview

This guide details the steps required to set up Okta and Banyan TrustProvider to enable device registration and authentication for any SaaS application. Additionally, this guide covers how to add policy enforcement in Banyan TrustProvider at the SaaS application level.

How It Works

In the IDP-first authentication flow, you configure your Okta to federate authentication requests to Banyan’s TrustProvider component. Banyan TrustProvider federates right back to Okta for user authentication but, because Banyan is now in the authentication flow, it is able to enforce Zero Trust security policy.

Pre-requisites

Before proceeding through the Steps sections below, please ensure you have:

  • Administrative access to Okta
  • The ability to add an external Identity Provider called “Banyan Policy Engine”
  • The ability to add a new application integration to your Identity Provider called “Banyan DeviceRegistrationProvider”
  • Integrated Banyan with Okta to create a directory of users that can access your Services

Steps

1. In the Banyan Command Center, create a Policy to manage access to SaaS Apps

1.1 Navigate to Secure Access > Policies > + Create Policy and create a new Policy using the template Basic Authorization Policy for Users.

1.2 Enter a policy name and description.

1.3 Select the option that specifies this policy is intended for Web Service for Users. Also set the policy attributes for minimal controls:

  • allow access from user principals with ANY role
  • do not set a Trust Level requirement

1.4 Click Create Policy.

2. In the Banyan Command Center, Register the Okta Federated SaaS App

2.1 Navigate to Manage Services > SaaS Applications > + PUBLISH SAAS APPLICATION.

2.2 Select IDP Routedfor Okta to route to Banyan

2.3 Name the SaaS App Okta Federated SaaS App, and edit your IdP’s redirect URL (if required).

2.4 Attach the policy we had previously created (in step 1.4) and set enforcement mode to Enforcing.

2.5 Click Register.

The next screen will give you the details you need to set up Okta to use Banyan to enforce your policies.

3. In Okta, create an External OpenID Connect IdP called “Banyan Policy Engine”

Switch to the Okta Classic UI for this guide.

3.1 Navigate to Security > Identity Providers > Add Identity Provider.

3.2 Select Add OpenID Connect IdP.

If you do not see the Add OpenID Connect IdP option, you will need to file a ticket to Okta Support to “Enable feature - OIDC Identity Provider”. Okta Support will typically enable this feature for you within a few hours.

3.3 Name the Identity Provider Banyan Policy Engine and enter the config field values you obtained in Step 2 above.

4. In Okta, add a Routing Rule called “Banyan Policy Engine Routing”

4.1 Add a Routing Rule called Banyan Policy Engine Routing, and select the SaaS applications registered with your Identity Provider that you wish to secure with Banyan Policies.

4.2 For Use this identity provider, ensure you select the Banyan Policy Engine IdP you created in Step 3 so that authentication requests from the selected SaaS applications route properly.

CAUTION: Do not select Any application when you set up the Routing Rule here. You must select the specific SaaS applications you wish to secure with Banyan Policies. Choosing Any application will route all Okta authentication traffic to Banyan TrustProvider which can result in infinite redirect loops. If you wish to route all Okta traffic, follow the Additional Steps below.

4.3 Ensure the routing rule has been activated.

5. In Okta, enable an IdP-based sign on policy (early access Okta feature)

When using Authentication Sign On rules (specifically MFA) in Okta and when using third-party IdP and routing rules for SaaS applications, Okta creates an MFA challenge for each IdP in the authentication chain. This results in end users being prompted twice for MFA challenges.

To avoid this undesired end user experience, Okta has a feature (available in early access) that allows the Okta admin to specify which IdP the Authentication Sign on rule(s) will apply to, such as “Okta”.

To configure this early access feature:

5.1 Navigate to Security > Authentication > Sign On.

5.2 Edit an existing sign-on policy and then add a new rule.

5.3 Locate the field AND Identity provider is and the select Okta.

If you do not see the AND Identity Provider option, you will need to file a ticket to Okta Support to “Enable feature - IdP-based sign on policy”. Okta Support will typically enable this feature for you within a few hours.

6. Test the IDP Routed

Use a private/incognito browser window to navigate to the URL of the IDP Routed App you set up. You’ll see the request being redirected to Banyan TrustProvider and your security policies being enforced.

Now, all authentication traffic for your SaaS App is routed to Banyan TrustProvider for policy enforcement. A summary of your Okta Routing Rules is as follows:

Routing Rule Applications to Route IDP to Route to
1. Banyan Policy Engine Routing Specific SaaS Application(s) Banyan Policy Engine
2. Default Rule Any Application Okta

Additional Steps

In some scenarios, you might need to federate not just individual application traffic but ALL Okta authentication traffic to Banyan. For example, you might want your users to access the Okta Application Page only after passing the Banyan policy checks. The instructions below show you how to accomplish this.

1. In Okta, add a Routing Rule called “Banyan Fallback Routing”

Since all Okta authentication traffic will be federated, we need to ensure that flows involving “Banyan TrustProvider” App Integration bypasses federation so that users are not forced into infinite redirect loops.

Add a Routing Rule called Banyan Fallback Routing for the “Banyan TrustProvider” App Integration, that uses the default “Okta” identity provider.

CAUTION: Do not select Any application when you set up the “Banyan Fallback Routing” Routing Rule. You must only select the “Banyan TrustProvider” app integration here.

Ensure the routing rule has been activated.

2. In Okta, ensure the order of the Routing Rules

Finally, ensure all your Routing Rules in Okta will apply in the correct order. In general, the more specific the routing rule the higher up it should be placed.

Ensure the “Banyan Fallback Routing” rule is placed above the “Banyan Policy Engine Routing” rule.

3. In Okta, update the “Banyan Policy Engine Routing” Routing Rule to route all Application traffic

Now, with the Fallback Routing in place, you can now go back to the “Banyan Policy Engine Routing” Routing Rule, and update it to route Any application.

Now, all Okta authentication traffic is routed to Banyan TrustProvider for policy enforcement. A summary of your Okta Routing Rules is as follows:

Routing Rule Applications to Route IDP to Route to
1. Banyan Fallback Routing Banyan TrustProvider Okta
2. Banyan Policy Engine Routing Any Application Banyan Policy Engine
3. Default Rule Any Application Okta

Passwordless

In some scenarios, you might want to enable Passwordless Authentication in addition to the IDP-first authentication.

To do so, first set up IDP-first authentication as described above and then follow the docs to configure Passwordless Authentication. Ensure the Passwordless Routing Rule is placed above the Policy Engine Routing Rule.

A summary of your Okta Routing Rules with IDP-first and Passwordless is as follows:

Routing Rule Applications to Route IDP to Route to
1. Banyan Fallback Routing Banyan DeviceRegistrationProvider Okta
2. Banyan Passwordless Routing Banyan TrustProvider Banyan Passwordless
3. Banyan Policy Engine Routing Any Application Banyan Policy Engine
4. Default Rule Any Application Okta
Last modified: Jul 22, 2021