Okta IP Whitelisting in Banyan
Use Okta IP whitelisting to ensure use of a Service Tunnel for authentication to SaaS apps
- Okta IP Whitelisting Overview
Okta IP Whitelisting Overview
These steps outline how to use the Okta IP Whitelisting technique to require a user to have a Service Tunnel established in order to authenticate to the specified SaaS application(s).
Step 1 - Register a Service Tunnel for Public Domains
1.1 Register a Service Tunnel for Public Domains.
1.2 Configure the Service Tunnel to include the relevant Okta domain used for authentication (e.g.,
Step 2 - Create a new network zone in Okta
2.1 Create a network zone for the Access Tier(s).
2.2 In the Okta Admin Console, navigate from Security > Networks. From the Add Zone dialog, select IP Zone.
2.3 In the Zone Name field, enter a name for the IP zone (e.g.,
Banyan Service Tunnel).
2.4 In the Gateway IPs field, enter the IP Address(es) of the relevant Access Tiers
Note: You can separate IPs and IP ranges with a new line or a comma.
2.5 Select Save.
Step 3 - Update sign-on policy for all relevant applications
Configure an app sign-on policy to require a Service Tunnel to be registered before authenticating to specific SaaS application(s).
3.1 In the Okta Admin Console, navigate from Applications > Applications. Select the desired application.
3.2 Select the Sign On tab, and scroll down to the Sign On Policy section.
3.3 Create a Sign On rule, by which sign on to the application is denied if the user is not located in the Banyan Service Tunnel zone.
If the user DOES NOT have the Service Tunnel connection established, the user will receive an error message indicating that App Access is Locked. In addition, the user will be denied access from launching the application from the Okta End User Dashboard.
Error during SP-init flow:
Can’t find what you’re looking for?
We’re happy to help. Contact our team .