Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=protected-browser-enforecement-okta

Set up browser enforcement using Okta

You can use Okta to enforce access to your SaaS applications only through Protected Browser.

Okta authenticates all requests to the specified domain and routes traffic through the selected ZTNA region.

This page includes instructions for third-party products. We recommend that you check the vendor's latest documentation.

The key steps are as follows:

  1. Make sure you meet the requirements.
  2. Turn Okta on in Protected Browser.
  3. Add an IP zone in Okta.
  4. Create a conditional access policy in Okta.

Requirements

  • You must have added Okta as a federated identity provider in Sophos Central.
  • You must have added the applications you want to enforce access to Okta.
  • You must have configured SAML in Okta to authenticate users.
  • The user performing browser enforcement in Okta must be an admin.

Turn Okta on in Protected Browser

To turn Okta on, do as follows:

  1. In Protected Browser, go to My Products > Protected Browser > Settings.
  2. Turn Okta on.
  3. Under Data plane region, select the ZTNA data plane region you want to use for the authentication.

  4. Click Copy IPs list to copy the IP addresses of the ZTNA dataplane region.

    You need these IP addresses to add an IP zone in Okta.

Add an IP zone in Okta

To add an IP zone in Okta, do as follows:

  1. In Okta, go to Security > Networks.
  2. Click Add zone and select IP zone.
  3. Enter a name for the zone.
  4. In Gateway IPs, paste the IP addresses of the ZTNA dataplane region you copied from Protected Browser.
  5. Click Save.

Create a conditional access policy in Okta

To create a conditional access policy in Okta, do as follows:

  1. In Okta, go to Security > Authentication policies and click App sign-in.
  2. Click Create policy, enter a name for the policy, and click Create policy.

  3. In Rules, edit the default Catch-all rule as follows:

    1. Next to Catch-all rule, in Actions, click Edit.
    2. Set Then Access is to Denied.
    3. Click Save.

  4. Click Add rule.

  5. Enter a name for the rule.
  6. Set User's IP is to In any of the following zones and select the IP zone you created.
  7. Set Then Access is to Allowed after successful authentication, then click Save.
  8. In Applications, select the applications whose access you want to enforce through Protected Browser.
  9. Click Save.