fbpx

Monitoring Applications that use Okta for User Authentication

authentication

As the leading provider of identity and access management and authentication for enterprises, Okta gives employees, partners, suppliers, and customers secure access to the tools they need to do their most important work. With deep integrations to over 6,000 applications, the Okta Identity Cloud enables simple and secure access from any device.  Although Okta does not offer out-of-the-box synthetic monitoring systems for web applications, there are several other means of reporting which are indirectly relevant. Here are a couple examples of such tools:

Okta Trust site.  The Okta Trust site displays a general overview on the Okta System Status.  Administrator credentials will provide you with system availability information on the Okta server your subdomain resides in.

Several on-premises agent software have different health-check functionalities included. For example, while the status of the Okta AD Agents is closely being monitored, all administrator accounts are being notified within minutes via email of any downtime.  Additional information about AD Agent availability may be found here.

 

Monitoring Application Access

Unfortunately, application access cannot be easily monitored with the use of the Okta reports, as there are no out-of-the-box notifications for application downtime. Moreover, the Okta System Log will always display a successful authentication to applications integrated through SAML or WS-Federation. Due to the asynchronous nature of the authentication, the browser is always successfully relaying the SAML assertion to the Service Provider, returning a HTTP 200 response, no matter if the service is down.

This is where third-party synthetic monitoring tools come in handy. With the help of the Dotcom-Monitor platform you are able to:

  • Proactively monitor the performance and availability of your Okta tenant, web applications, and on-premises agent services.  In live business environments, all downtime translates into direct loss of revenue. Today, the use of synthetic monitoring is more important than ever as it facilitates the constant observation of your applications’ performance in various geographical locations.
  • Offers reliability and benchmarking reports for all your business resources.  Aside from the scheduled monitoring report information and alerts sent via email, you are able to track and retrieve comprehensive monitoring data, analyze interactive charts, and generate flexible report statistics.
  • Helps with identifying potential issues in a timely fashion, before reaching a roadblock.  Be able to easily alert your operations team in case of performance degradation and availability issues, providing the required context in order to chase down the root cause and implement a fix, limiting the impact to end users.
  • Provides data on performance degradation and unavailability incidents required to holding third-party vendors responsible.  Configure custom Service Level Agreement (SLA) reports in compliance with the arrangements with your vendors for determining if expectations have been met, providing real availability statistics in order to insure refunds, according to the SLA contract.
  • Observe and manage end user experience. Using the web application monitoring solution, you will be able to simulate and analyze the actual end user experience, preparing for any potential issues prior to a go-live.

 

Caveats:

Desktop Single Sign-On (DSSO) is not compatible with any monitoring tool when enabled globally. Best practices recommend limiting DSSO to specific gateway IPs. For more information, read the article here.

 

Site Availability

Check your Okta site’s website availability and page performance.

Creating the device

1.  From your Dotcom-Monitor dashboard, navigate to Device Manager.

2.  Select New Device.

Device Manager

 

3.  From under Web Pages — BrowserView, pick your browser of choice and hit Select.

Web Pages-BrowserView

 

4.  Enter a name for your new device (for this example, we’ll call it Okta Site) and insert your Okta URL* in the URL field, completing the task with Create Device.

Note: *Okta URL should be https://<subdomain>.okta.com or https://<subdomain>.okta-emea.com or https://<subdomain>.oktapreview.com

New Monitoring Device-Okta

 

Observations

Please note that if you have DSSO globally enabled on your Okta tenant, you will instead need to use the back-door URL of Okta (appending /login/default at the end of your Okta URL).  Your site and services availability may also be monitored by authenticating to the Okta Status page.

 

Web Application Single Sign-On:

Replicate a user’s browser interactions with a website through SSO in order to monitor the authentication performance metrics.  In order to securely conduct testing, it is recommended you create a test account that will be assigned to each individual application in Okta which you’d like to configure for monitor.

Note: For creating test accounts within your Okta environment, please refer to Okta’s Manage Users article.

 

Creating the device

1.  From your Dotcom-Monitor dashboard, navigate to Device Manager.

2.  Select New Device.

Device Manager

 

3.  From under Web Applications — UserView, choose Record Steps and hit Select.

Web Applications-UserView

 

4.  For the Enter Starting URL field, you will be required to use the Okta application’s embed link. Input the URL and proceed with Record Now.

Record New Script

 

Note:  In order to get the Application’s embed link, navigate from your Okta Administrative console to the application’s General tab, under the App Embed link section.

Okta App Embed Link

5.  Fill in the web form with your test credentials in the web page view and initiate the login to the application.

6.  Once successfully authenticated, hit Stop. On the dialog window, you will need to first play the recording once before saving it into a monitoring device.

Recording has been stopped

7.  Once you’ve confirmed that the script has been successfully played without errors, go ahead and save it.  You’ll return to the UserView setup wizard, where you’ll be able to name and create your device.

Create a monitoring device

 

Observations

Please note that if you have DSSO globally enabled on your Okta tenant, the monitoring device cannot be set up. As such, DSSO has to be configured to specific network zones.

 

Delegated Authentication

Replicate a user’s browser interactions through delegated authentication to Active Directory in order to monitor the authentication performance metrics.  In order to securely conduct testing, it is recommended you create a test account that will be assigned to each individual application in Okta which you’d like to configure for monitoring.

Notes:

For creating test accounts within your Okta environment, please refer to Okta’s Manage Users article.

For integrating your Active Directory instance with Okta, please refer to Okta’s article regarding Manage your Active Directory article.

For additional information on Delegated Authentication, please refer to Okta’s Delegated Authentication article.

 

Creating the device

1.  From your Dotcom-Monitor dashboard, navigate to Device Manager.

2.  Select New Device.

Device Manager

 

 

3. From under Web Applications — UserView, choose Record Steps and hit Select.

Web Applications-UserView

 

4. For the Starting URL field, you will be required to use the Okta application’s embed link. Input the URL and proceed with Record Now.

Record New Script - Okta

5. Fill in the web form with your test credentials in the web page view and initiate the login to Okta.

6. Once successfully authenticated into the Okta end user Dashboard, hit Stop. On the dialog window, you will need to first play the recording once before saving into a monitoring device.

Recording has been stopped

 

7. Once confirmed that the script has been successfully played without errors, go ahead and save it. You’ll return to the UserView setup wizard, where you’ll be able to name and create your device.

Create a monitoring device

 

Observations

Please note that if you have DSSO globally enabled on your Okta tenant, the monitoring device cannot be set up. As such, DSSO has to be configured to specific network zones.

 

Okta On-premises Applications

Some companies prefer to host certain applications in-house, for security purposes. As on-premises applications may only be accessed from on-network, the previously mentioned Device configuration will need to be used in conjunction with the Private Monitoring Agent.
The Private Monitoring Agent needs to be deployed into your network, allowing you to extend the reach of the monitoring devices.

The configuration is similar (steps 1 through 7), however once the device has been created, you will need to edit the device settings and from under the Monitoring tab, select Private Agents from under the Monitoring Agents (Locations).

Private Agent Okta

 

Observations

Please note that if you have DSSO enabled on your Okta tenant, the monitoring device cannot be set up. As such, Desktop SSO has to be configured to specific network zones.  The Private Agent also allows you to monitor applications hosted behind VPNs, so long as the web application is available from the computer you want to install Private Agent on.

 

Conclusion

To wrap it all up, implementing Dotcom-Monitor  solutions with Okta is a strategy worth considering, both from a security standpoint, as well from a financial one. The platform is straightforward, the reporting is very flexible and configurable, and doing so will bring clear, measurable benefits to your business. Proactively monitor the performance and availability of your Okta tenant, web applications, and on-premises agent services with Dotcom-Monitor.  Try the full platform free for 30 days.

 

 

 

 

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on email
Email
Share on print
Print