Many organizations utilize Okta’s single sign-on (SSO) solution to provide their mobile and desktop end-users with a single portal (and one set of credentials) to access the applications they use to get their work done. Regardless of the device, Okta’s SSO service is incredibly powerful and removes a lot of the friction that users face when it comes to remembering application URLs and credentials. But, there are many situations where companies need to restrict access to applications at the device level.

An industry accepted method for controlling access at this level is by leveraging client-side certificate authorization. In practice, this means that a corporation could install a certificate on provisioned laptops, tablets, and BYOD smartphones for their employees, and this certificate would be used to authorize a user for application access.

ICSynergy’s SPGateway can provide this certificate workflow for Okta users in moments.

Only devices with valid certificates will be authorized to access protected applications through ICSynergy’s SPGateway. Devices such as a user’s personal computer or unmanaged mobile device will not be granted access.

The workflow is simple for a user’s point of view: as long as they have the required certificate on their device, they will authenticate through Okta as usual and be granted access to the application protected by the SPGateway.

Behind the scenes, the certificate is requested when the user visits the SPGateway protected application site. If they have the valid certificate (this is verified through an OCSP server), they can be directed to the Okta authentication page. Once they’ve authenticated with Okta, they are directed back to the application where the certificate is verified once more before they’re allowed into the application.

Using a client-side certificate authentication workflow can be much more practical than trying to control device access through IP or MAC addresses. If you need to limit the devices that can access a protected application, the SPGateway offers an elegant solution that works well with existing Mobile Device Management (MDM) and Desktop Management solutions.

Do you have IAM questions or problems? Not enough time or resources to create a solution? We’d love to hear from you and start on your custom IAM solution today. There’s several different ways to get in touch with us, so pick your favorite and let’s start solving problems today.