How to dynamically add Okta IP addresses to Web Application Firewall

tjpspf · August 1, 2023, 3:05pm

Our SCIM server is protected by an AWS Web Application Firewall. We’ve added Okta’s published list of IP addresses to the whitelist, but we’ve already had the IP addresses change on us, causing issues.

What’s the best way to dynamically update our firewall with the latest IP addresses from Okta? I haven’t been able to figure out a specific Okta notification (if one exists) to target.

Also, I’m not clear on the scope of the following instruction from Okta: “Allowlisting Amazon Web Services CloudFront IP range will ensure that inbound traffic is accepted.”

Does that mean “Just allow all CloudFront IP addresses through your firewall and you’ll get the Okta ones for free”? Or is it suggesting a more targeted approach to just Okta IP addresses?

Thanks for the help on this!

sigama · August 2, 2023, 4:56pm

Hi @tjpspf! Thank you for your question. You may have already seen this support page - Okta Help Center (Lightning) that links to our allow list https://s3.amazonaws.com/okta-ip-ranges/ip_ranges.json. For SCIM, you may not need CloudFront IP addresses as this is for web assets, and so you’ll only need to monitor Okta IP Ranges (targeting only your org cells) periodically for updates. Apologies in advance, the update frequency is unpredictable, and we currently have no way to inform/alert you. I recommend creating a feature request for a webhook push when IP Ranges change.

Post		Replies	Views
Provisioning - white-list IP addresses SCIM	2	5321	January 12, 2024
Event Hook IP Ranges Questions	2	4242	May 17, 2019
SCIM based user provisioning SCIM	7	5172	September 2, 2019
Is it possible to trigger a SCIM updateUser by a user signing in SCIM	3	3925	June 5, 2019
How to configure SCIM using API SCIM	2	1511	October 20, 2023

How to dynamically add Okta IP addresses to Web Application Firewall

Related topics