We're currently using Okta integrated with Envoy for automatic office check-ins. When users log into Okta on our office network, Envoy checks them in automatically, which is great. However, the problem arises because Okta sessions expire when the network or IP changes. This forces users to log in again upon arrival at the office, which activates the check-in process. The catch is that many applications maintain their own sessions, so if they're already open, users may not re-engage with Okta throughout the day, meaning no check-in occurs.
Our temporary fix is to reduce the session length of a frequently-used third-party app to eight hours, but this is frustrating for remote team members. We want a way to mandate at least one Okta login whenever a user connects to the office WiFi, without impacting remote users.
We're using UniFi for our network, Okta with FastPass for all company devices, and we have MDM in place. We've looked into several options:
1. Setting up a UniFi captive portal that points to an Okta-protected page, needing middleware to authorize the device post-login.
2. Configuring WPA Enterprise with an Okta RADIUS agent, which seems more straightforward and could block access until Okta authentication is completed.
3. Implementing UniFi ZTNA with Okta as the SAML IdP, although this requires more setup and involves the UniFi Endpoint app on devices.
We're leaning towards RADIUS but are open to finding a simpler method that might work with Okta FastPass and macOS.
4 Answers
Just wondering, what’s the threat model you're evaluating that makes you want to enforce this login strategy? Seems like there's a critical need behind your approach!
Using a captive portal with Okta can complicate things, especially due to SSO. Are you planning to direct all employees through the captive portal, or would you use multiple SSIDs for different staff levels?
To achieve what you're aiming for, it sounds like setting up WPA Enterprise with RADIUS through Okta is your best bet. RADIUS is not bound to any specific operating system, so it'll work with macOS too. Just keep in mind that FastPass might not work seamlessly with RADIUS since it relies on API calls for authentication. But the push notifications should still come in handy!
I believe our office has a badge-in system for Envoy check-ins, so it could be an alternative way to ensure people check in without having to re-authenticate with Okta. I’m not familiar with the exact setup but it’s worth considering!
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures