Secure Okta SaaS Applications with Banyan Policies

Use federation capabilities in Okta to enforce Banyan Policies on your SaaS applications

This article describes features that are only available in the Banyan Business edition and Banyan Enterprise edition.

Overview

This guide details the steps required to set up Okta and Banyan TrustProvider to enable device registration and authentication for any SaaS application. Additionally, this guide covers how to add policy enforcement in Banyan TrustProvider at the SaaS application level.

How It Works

In the IDP-first authentication flow, you configure your Okta to federate authentication requests to Banyan’s TrustProvider component. Banyan TrustProvider federates right back to Okta for user authentication but, because Banyan is now in the authentication flow, it is able to enforce Zero Trust security policy.

Pre-requisites

Before proceeding through the Steps sections below, please ensure you have:

Steps

1. Create a Web policy{#oktaweb}

To learn more about how policies work, see Policies

1.1 Navigate to Secure Access > Policies > + Create Policy and select Web Policy.

1.2 Enter a policy name and description.

1.3 Set the policy attributes

1.4 Click Create Policy.

2. Create a SaaS Application in Banyan

Organizations can create one IDP Routed SaaS App for all Okta applications or create multiple IDP Routed SaaS Apps for groups of applications such as High Security vs Medium Security.

2.1 Navigate to Manage Services > SaaS Applications > PUBLISH SAAS APPLICATION.

2.2 Select IDP Routed for Okta to route to Banyan

2.3 Name the SaaS App and verify the IDP redirect url.

2.4 Attach the policy we had previously created (in step 1.4) and set enforcement mode.

2.5 Click Register.

The next screen will give you the details you need to set up Okta to use Banyan to enforce your policies.

3. Add Banyan as an Identity Provider in Okta

3.1 Navigate to Security > Identity Providers > Add Identity Provider.

3.2 Select Add OpenID Connect IdP.

3.3 Name the Identity Provider Banyan Policy Engine and enter the config field values you obtained in Step 2.5 above.

4. Route Specific Okta Applications to Banyan

This step will only protect SP-initiated flows. To protect accessing applications via the Okta portal, see Protecting All Okta Applications and the Okta Catalog.

4.1 Navigate to Security > Identity Providers > Routing Rules.

4.2 Add a Routing Rule called Banyan Policy Engine Routing, and select the SaaS applications that you wish to secure with Banyan Policies.

4.3 Select the Banyan Policy Engine identity provider you created in Step 3.

4.4 Select the specific applications that you wish to secure with Banyan

CAUTION: Do not select “Any application” when you set up the Routing Rule here as it may result in an infinite redirect loop. If you wish to route all Okta traffic including access to the Okta application catalog, follow the Protecting All Okta Applications and the Okta Catalog below.

4.3 Ensure the routing rule has been activated.

5. In Okta, enable an IdP-based sign on policy (early access Okta feature)

When using Authentication Sign On rules (specifically MFA) in Okta and when using third-party IdP and routing rules for SaaS applications, Okta creates an MFA challenge for each IdP in the authentication chain. This results in end users being prompted twice for MFA challenges.

To avoid this undesired end user experience, Okta has a feature (available in early access) that allows the Okta admin to specify which IdP the Authentication Sign on rule(s) will apply to, such as “Okta”.

To configure this early access feature:

5.1 Navigate to Security > Authentication > Sign On.

5.2 Edit an existing sign-on policy and then add a new rule.

5.3 Locate the field AND Identity provider is and the select Okta.

If you do not see the AND Identity Provider option, you will need to file a ticket to Okta Support to “Enable feature - IdP-based sign on policy”. Okta Support will typically enable this feature for you within a few hours.

6. Test the IDP Routed

Use a private/incognito browser window to navigate to the URL of the IDP Routed App you set up. You’ll see the request being redirected to Banyan TrustProvider and your security policies being enforced.

Now, all authentication traffic for your SaaS App is routed to Banyan TrustProvider for policy enforcement. A summary of your Okta Routing Rules is as follows:

Routing Rule Applications to Route IDP to Route to
1. Banyan Policy Engine Routing Specific SaaS Application(s) Banyan Policy Engine
2. Default Rule Any Application Okta

Protecting All Okta Applications and the Okta Catalog

To ensure requests to any Okta application as well as the Okta Catalog go through Banyan policy checks, complete the following steps:

1. Add a Banyan Fallback Routing Rule

Since all Okta authentication traffic will be federated, we need to ensure that flows involving the “Banyan TrustProvider” App Integration bypasses federation so that users are not forced into infinite redirect loops.

1.1 Navigate to Security > Identity Providers > Routing Rules.

1.2 Add a Routing Rule called Banyan Fallback Routing.

1.3 Select the Banyan TrustProvider SaaS Application.

1.4 Select Okta as the identity provider.

1.5 Ensure the routing rule has been activated.

2. Update the Routing Rules Order

Finally, ensure all your Routing Rules in Okta will apply in the correct order. In general, the more specific the routing rule the higher up it should be placed.

Ensure the Banyan Fallback Routing rule is placed above the Banyan Policy Engine Routing rule.

3. Update Banyan Policy Engine Routing rule to route all Application traffic

Now, with the Fallback Routing in place, you can now go back to the “Banyan Policy Engine Routing” Routing Rule, and update it to route Any application.

Now, all Okta authentication traffic is routed to Banyan TrustProvider for policy enforcement. A summary of your Okta Routing Rules is as follows:

Routing Rule Applications to Route IDP to Route to
1. Banyan Fallback Routing Banyan TrustProvider Okta
2. Banyan Policy Engine Routing Any Application Banyan Policy Engine
3. Default Rule Any Application Okta

Passwordless

In some scenarios, you might want to enable Passwordless Authentication in addition to the IDP-first authentication.

To do so, first set up IDP-first authentication as described above and then follow the docs to configure Passwordless Authentication. Ensure the Passwordless Routing Rule is placed above the Policy Engine Routing Rule.

A summary of your Okta Routing Rules with IDP-first and Passwordless is as follows:

Routing Rule Applications to Route IDP to Route to
1. Banyan Fallback Routing Banyan DeviceRegistrationProvider Okta
2. Banyan Passwordless Routing Banyan TrustProvider Banyan Passwordless
3. Banyan Policy Engine Routing Any Application Banyan Policy Engine
4. Default Rule Any Application Okta


Last modified: Oct 19, 2021