02-27-2018 04:02 PM
We are an Okta customer, looking to do adaptive MFA. What this means is that Okta will perform a lookup in the client cert store (personal) to see if they have been issued a certificate by Okta, and if so then the device is trusted. We can then build access policies which will perform different types of access/challenges depending on whether the device is trusted or not. Trust is determined by the presence of a certificate.
One of the requirements: "Device Trust for managed Windows computers works with any SAML/WS-Fed-enabled app that supports authentication through a webview. The web view in which authentication is performed must have access to the certificate store on the device. This includes Microsoft Office clients that support Modern Authentication, among others"
Source: https://help.okta.com/en/prod/Content/Topics/Mobile/Okta_Mobile_Device_Trust_Windows-desktop.htm
I am posting here to get some clarification around this, because we have no issue doing cert based VPN on the Palo Alto side, but we cannot get the Global Protect Client to see there is a cert for Okta, therefore the VPN login fails. I have a feeling that the Global Protect Client (4.0.2-19) does not actually support authentication through webview?
