Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who Me Too'd this topic

Okta SAML Auth with Push Only for VPN (SSO for Okta Login)

L1 Bithead

Is it possible to configure Global Protect VPN connection such that....


  1. Pre-logon connects user during login
  2. After login, they get prompted to Okta login to proceed to user session (vs pre-logon session)
  3. Okta SSO works so they do not need to re-enter their AD credentials - this requires the pre-login tunnel to stay up while authenticating user
  4. Push auth w/ Okta for MFA


...or maybe this way....


  1. User logs into laptop with cache credentials
  2. User initiates VPN connection
  3. VPN authentication staged in such a way that it allows connection to the SSO server internally, so that Okta can SSO the user, then initiate a push before sending SAML auth and establishing full tunnel?


The goal I am trying to accomplish is really one basic thing: if the user logs into their laptop I want that to be FIRST FACTOR and for them to not be asked for it again (SSO).  But I want to secure full VPN tunnel w/ a second factor, and I want "push" or "enter code" from Okta mobile app to be that.  Problem is, Okta has not authenticated the remote user and SSO only works if the Okta SSO/IWA server is accessible to the host (and that server is in back office, and it's not secure to expose it to WAN) I am kind of in a pickle here (quite an annoying one if you ask me).  Once VPN is up - SSO works great!  Go figure.


I hope I am making sense!

Who Me Too'd this topic