02-27-2018 04:02 PM
We are an Okta customer, looking to do adaptive MFA. What this means is that Okta will perform a lookup in the client cert store (personal) to see if they have been issued a certificate by Okta, and if so then the device is trusted. We can then build access policies which will perform different types of access/challenges depending on whether the device is trusted or not. Trust is determined by the presence of a certificate.
One of the requirements: "Device Trust for managed Windows computers works with any SAML/WS-Fed-enabled app that supports authentication through a webview. The web view in which authentication is performed must have access to the certificate store on the device. This includes Microsoft Office clients that support Modern Authentication, among others"
Source: https://help.okta.com/en/prod/Content/Topics/Mobile/Okta_Mobile_Device_Trust_Windows-desktop.htm
I am posting here to get some clarification around this, because we have no issue doing cert based VPN on the Palo Alto side, but we cannot get the Global Protect Client to see there is a cert for Okta, therefore the VPN login fails. I have a feeling that the Global Protect Client (4.0.2-19) does not actually support authentication through webview?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
