How to dynamically add Okta IP addresses to Web Application Firewall

Our SCIM server is protected by an AWS Web Application Firewall. We’ve added Okta’s published list of IP addresses to the whitelist, but we’ve already had the IP addresses change on us, causing issues.

What’s the best way to dynamically update our firewall with the latest IP addresses from Okta? I haven’t been able to figure out a specific Okta notification (if one exists) to target.

Also, I’m not clear on the scope of the following instruction from Okta: “Allowlisting Amazon Web Services CloudFront IP range will ensure that inbound traffic is accepted.”

Does that mean “Just allow all CloudFront IP addresses through your firewall and you’ll get the Okta ones for free”? Or is it suggesting a more targeted approach to just Okta IP addresses?

Thanks for the help on this!

Hi @tjpspf! Thank you for your question. You may have already seen this support page - Okta Help Center (Lightning) that links to our allow list For SCIM, you may not need CloudFront IP addresses as this is for web assets, and so you’ll only need to monitor Okta IP Ranges (targeting only your org cells) periodically for updates. Apologies in advance, the update frequency is unpredictable, and we currently have no way to inform/alert you. I recommend creating a feature request for a webhook push when IP Ranges change.

1 Like