OKTA Biometric SSO Fails on Windows With Embedded Browser

Issue

When using an embedded browser to complete OKTA biometrics SSO authentication in Windows, authentication fails. 

 

Environment

This issue can occur under the following conditions:

  • OKTA is the IDP for SSO.
  • The authenticating user is utilising fastpass biometric auth.
  • Always-on is configured for the user.
  • The user is configured for embedded browser.

Solution

In the above setup, the combination of always-on and embedded browser will prevent the traffic flow generated by the OKTA fastpass biometric auth process from egressing the host NIC. The resolution steps for this case study aim to allow the traffic to egress without compromising the behaviour of always-on.

 

Configure the clients to utilise external browser:

or

Configure a low confidence policy to allow internet for users impacted:

or

Add a registry entry ForceAuthTrafficToTunnel under HKEY_LOCAL_MACHINE\SOFTWARE\CatoNetworksVPN, with value of 1 (DWORD)

 

Was this article helpful?

0 out of 0 found this helpful

0 comments

Add your comment