Okta SaaS App Gating
Let's configure OKTA to only allow access to SaaS Applications when behind Twingate.
SaaS app gating with Twingate and Okta enables you to require an authorized connection to a Twingate Connector as a prerequisite for IdP Auth to a SaaS Resource. This is similar in concept to IP whitelisting inside a SaaS app, but the IP check and approval/disapproval happens at the IdP Auth stage instead of being configured in the SaaS application directly.
Twingate Admin Console Prerequisites
As this use case is dependent on an IP address associated with one or more Twingate Connectors, the first step is to create a Twingate Resource associated with your organization’s Okta tenant URL (e.g. mycompany.okta.com) and associating that Resource with one or more Groups. Doing this means that authorized users attempting to authenticate through Okta will be coming from the exit IP address associated with the Twingate Remote Network used to enable connectivity to the new Resource. This is the IP address you’ll use as part of the Okta App Policy configuration.
Create an Okta Network Zone
From the Okta Admin Console, navigate to Security > Networks: From the Networks section of the Okta Admin Console, select Add Zone > IP Zone:
Multiple Connectors will usually be behind a NAT gateway and hence present a single public IP address. If your Connectors are not behind a NAT for outbound Internet access, then you may need to add multiple IP addresses to the zone. (This is not common.)
Choose a Zone Name that you’ll easily identify with this use case (eg. Twingate Connector Exit IP). Insert the public IP address used by the relevant Twingate Connector(s) in the Gateway IPs section.
Leave other options unchecked/empty and click Save. This is the Zone you’ll use for your app-specific rules in Okta.
Edit the App Sign On Policy
From the Okta Admin Console, navigate to Applications > Applications: Select the Application you’d like to apply the new Twingate app gating policy to (e.g. Google Workspace, Salesforce, Snowflake): After opening the app settings page, select the Sign On tab and scroll down to the Sign On Policy subsection. Click ”+ Add Rule” and configure the following settings as shown in the screenshot below:
|Rule Name||eg. Twingate-secured SaaS|
|People > Who does this rule apply to?||Users assigned to this app|
|Location > If the user is located||Not in Zone||Note that you must use a deny rule for this configuration. We are denying access to the app if the user is not in the network zone.|
|Location > Network Zones||< The name of the IP Zone you created in the previous steps >|
|Client > If the user’s platform is any of these||eg. Any client|
|Actions > Access > When all conditions above are meant, sign on to this application is||Denied||Note that you must use a deny rule for this configuration. We are denying access to the app if the user is not in the network zone.|
This rule ensures that attempts to access the app in question will only be allowed if the user is connected to Twingate with an authorized account that belongs to the correct Twingate Group.
Last updated 18 hours ago