Okta SaaS App Gating

Home

Use Cases

VPN Replacement

Infrastructure Access

Device Controls

IP-based Access

Homelab & Personal Use Cases

Internet Security

Compliance

Architecture

How Twingate Works

How DNS Works with Twingate

Twingate vs. VPNs

Twingate vs. Mesh VPNs

Peer-to-peer Communication

API

Getting Started with the API

Twingate Labs ↗

additional resources

Help Center ↗

Changelog

FAQ

Twingate Trust Center

GDPR Compliance

HIPAA Compliance

PCI Compliance

SOC 2 Report

Responsible Disclosure Policy

Let's configure OKTA to only allow access to SaaS Applications when behind Twingate.

SaaS app gating with Twingate and Okta enables you to require an authorized connection to a Twingate Connector as a prerequisite for IdP Auth to a SaaS Resource. This is similar in concept to IP whitelisting inside a SaaS app, but the IP check and approval/disapproval happens at the IdP Auth stage instead of being configured in the SaaS application directly.

Twingate Admin Console Prerequisites

As this use case is dependent on an IP address associated with one or more Twingate Connectors, the first step is to create a Twingate Resource associated with your organization’s Okta tenant URL (e.g. mycompany.okta.com) and associating that Resource with one or more Groups. Doing this means that authorized users attempting to authenticate through Okta will be coming from the exit IP address associated with the Twingate Remote Network used to enable connectivity to the new Resource. This is the IP address you’ll use as part of the Okta App Policy configuration.

Create an Okta Network Zone

From the Okta Admin Console, navigate to Security > Networks: From the Networks section of the Okta Admin Console, select Add Zone > IP Zone:

Multiple Connectors will usually be behind a NAT gateway and hence present a single public IP address. If your Connectors are not behind a NAT for outbound Internet access, then you may need to add multiple IP addresses to the zone. (This is not common.)

Choose a Zone Name that you’ll easily identify with this use case (eg. Twingate Connector Exit IP). Insert the public IP address used by the relevant Twingate Connector(s) in the Gateway IPs section.

Leave other options unchecked/empty and click Save. This is the Zone you’ll use for your app-specific rules in Okta.

Edit the App Sign On Policy

From the Okta Admin Console, navigate to Applications > Applications: Select the Application you’d like to apply the new Twingate app gating policy to (e.g. Google Workspace, Salesforce, Snowflake): After opening the app settings page, select the Sign On tab and scroll down to the Sign On Policy subsection. Click ”+ Add Rule” and configure the following settings as shown in the screenshot below:

Setting	Value	Notes
Rule Name	eg. Twingate-secured SaaS
People > Who does this rule apply to?	Users assigned to this app
Location > If the user is located	Not in Zone	Note that you must use a deny rule for this configuration. We are denying access to the app if the user is not in the network zone.
Location > Network Zones	< The name of the IP Zone you created in the previous steps >
Client > If the user’s platform is any of these	eg. Any client
Actions > Access > When all conditions above are meant, sign on to this application is	Denied	Note that you must use a deny rule for this configuration. We are denying access to the app if the user is not in the network zone.

This rule ensures that attempts to access the app in question will only be allowed if the user is connected to Twingate with an authorized account that belongs to the correct Twingate Group.

Last updated 8 hours ago

Home

Use Cases

VPN Replacement

Infrastructure Access

Device Controls

IP-based Access

Homelab & Personal Use Cases

Internet Security

Compliance

Architecture

How Twingate Works

How DNS Works with Twingate

Twingate vs. VPNs

Twingate vs. Mesh VPNs

Peer-to-peer Communication

API

Getting Started with the API

Twingate Labs ↗

managing twingate

Quick Start

Automated Deployment

Connectors

Understanding Connectors

Deploying Connectors

Best Practices

Updating Connectors

Advanced Connector Management

Resources

Remote Networks

Team

Users

Groups

Identity Providers

Security Policies

Policy Guides

Two-Factor Authentication

Devices

Client Application

Managed Devices

Device Administration

Services

Headless Clients

CI/CD Configuration

Analytics

Admin Actions Report

Detailed Network Event Schema

Analyzing Network Traffic

User Activity Report

Internet Security

DNS-over-HTTPS (DoH)

NextDNS Integration

Administration

Admin Console Security

Subscription management

additional resources

Help Center ↗

Changelog

FAQ

Twingate Trust Center

GDPR Compliance

HIPAA Compliance

PCI Compliance

SOC 2 Report

Responsible Disclosure Policy

VPN Replacement

Infrastructure Access

Device Controls

IP-based Access

Homelab & Personal Use Cases

Internet Security

Compliance

How Twingate Works

How DNS Works with Twingate

Twingate vs. VPNs

Twingate vs. Mesh VPNs

Peer-to-peer Communication

Getting Started with the API

Automated Deployment

Understanding Connectors

Deploying Connectors