Okta SaaS App Gating

Let's configure OKTA to only allow access to SaaS Applications when behind Twingate.

SaaS app gating with Twingate and Okta enables you to require an authorized connection to a Twingate Connector as a prerequisite for IdP Auth to a SaaS Resource. This is similar in concept to IP whitelisting inside a SaaS app, but the IP check and approval/disapproval happens at the IdP Auth stage instead of being configured in the SaaS application directly.

Twingate Admin Console Prerequisites

As this use case is dependent on an IP address associated with one or more Twingate Connectors, the first step is to create a Twingate Resource associated with your organization’s Okta tenant URL (e.g. mycompany.okta.com) and associating that Resource with one or more Groups. Doing this means that authorized users attempting to authenticate through Okta will be coming from the exit IP address associated with the Twingate Remote Network used to enable connectivity to the new Resource. This is the IP address you’ll use as part of the Okta App Policy configuration.

Create an Okta Network Zone

From the Okta Admin Console, navigate to Security > Networks: From the Networks section of the Okta Admin Console, select Add Zone > IP Zone:

Choose a Zone Name that you’ll easily identify with this use case (eg. Twingate Connector Exit IP). Insert the public IP address used by the relevant Twingate Connector(s) in the Gateway IPs section.

Leave other options unchecked/empty and click Save. This is the Zone you’ll use for your app-specific rules in Okta.

Edit the App Sign On Policy

From the Okta Admin Console, navigate to Applications > Applications: Select the Application you’d like to apply the new Twingate app gating policy to (e.g. Google Workspace, Salesforce, Snowflake): After opening the app settings page, select the Sign On tab and scroll down to the Sign On Policy subsection. Click ”+ Add Rule” and configure the following settings as shown in the screenshot below:

SettingValueNotes
Rule Nameeg. Twingate-secured SaaS
People > Who does this rule apply to?Users assigned to this app
Location > If the user is locatedNot in ZoneNote that you must use a deny rule for this configuration. We are denying access to the app if the user is not in the network zone.
Location > Network Zones< The name of the IP Zone you created in the previous steps >
Client > If the user’s platform is any of theseeg. Any client
Actions > Access > When all conditions above are meant, sign on to this application isDeniedNote that you must use a deny rule for this configuration. We are denying access to the app if the user is not in the network zone.

This rule ensures that attempts to access the app in question will only be allowed if the user is connected to Twingate with an authorized account that belongs to the correct Twingate Group.

Last updated 3 minutes ago