Okta Authentication through ZIA

Under most circumstances, the best practice is to bypass the OKTA URLs from Zscaler Internet Access (ZIA). However, there are 2 scenarios that we recommend the customer send the OKTA traffic through ZIA.

  1. If the customer wants off-premise users to MFA, but not on-premise users.
  2. If the customer is in a no default route scenario

For the first scenario, we can take advantage of OKTA’s support for X-Forwarded-For (XFF) header detection. Below are the settings you would need to configure to disable MFA for users coming from approved locations.

Create a network IP zone for the XFF detection.
OKTA Admin console> Security > Networks> Add Zone> IP Zone

If you need OKTA to detect the network layer IP then place the Public source IP addresses under Gateway IPs.

If you require OKTA to detect the XFF header then you need to add IP addresses in both the section:

  • Gateway IPs - Public IP address of the customer site
  • Proxy IPs - Zscaler Node ranges from where the OKTA traffic might egress(primary and secondary GRE DC’s CIDR)

Disable MFA based on the IP zone configured:
OKTA Admin console> Security > Authentication> Sign On> Add Rule
Select the IP zone Name, and uncheck the Prompt for Factor, save.


For the above setting to work, the OKTA transactions should be routed via Zscaler. You MUST add the below URLs to the Authentication bypass list. Do NOT add them to SSL bypass list.

  • .okta.com
  • .oktacdn.com
  • .oktapreview.com
2 Likes