Installing Okta browser plugin 5.x with Internet Explorer

Effective April 30, 2019, Okta will not support Internet Explorer 10. Please migrate to a browser within Okta's support parameters.

Microsoft Internet Explorer 9 and 10 have additional security features which may require extra consideration when you are using the Okta Browser Plugin 5.x for Internet Explorer. This document provides information including: installation options, silent mode and allow-listing, and how to verify that the installed plugin is successfully enabled.

Where is the target machine?

How you install the plugin depends on where you'd like to install the IE 5.x plugin and how seamlessly you would like the install to be for your users. For details about other elements to consider, see Installation Options.

Installing on the target machine

Unlike the plugins of other browsers which install into the browser itself, the IE plugin requires administrative permissions at the OS level for installation. So, if you are working on the target machine and manually installing the IE 5.x plugin, you must have administrator rights.

Because you install the 5.x plugin manually, some user interaction is necessary, and the installer automatically closes all IE windows during the process. After installation, the browser launches and you are prompted to press an Enable button.

Pushing to Remote Machines

If you are working within a managed IT environment where you are pushing installation files to remote machines, you can make this more transparent and fluid by using options such as silent install and establishing a group policy for allow-listing the plugin components that reside on your target machines. See below for detailed information on using silent mode and the steps to establish an allow list.

Silent Mode

Silent mode configuration allows the installation to proceed without any explicit user input. Users cannot change the installation settings and no dialog boxes appear that require user interaction.

However, if you are installing in silent mode on IE 9 or later, and not creating an allow list for your installations (see Allow list below for details on this option), interaction is required. The installer automatically closes all IE windows. After installation, a browser launches and the user will be prompted to press an Enable button.

To run the installer in silent mode, use the following command line parameters:

  • "Okta Secure Web Authentication Plugin-Setup.exe" /q
  • "Okta Secure Web Authentication Plugin-Setup.msi" /q

Note: If you're installing in silent mode on Windows 7, users will be prompted to restart their browser.

Allow list

Creating an allow list (a registry of entities that allow unauthorized programs to run) can bypass the security measures imposed by IE 9 and 10. This method is useful for Admins and IT-based orgs pushing installs to end-users, as it suppresses the appearance of the Enable button during installation, thereby disallowing end-users the ability to "disable" the Okta IE plugin.

For a Windows OS, Internet Explorer uses a CLSID (class identifier) to set the allow-list policy. To set this policy on your system, do the following:

  1. From Windows Explorer, find the Local Group Policy Editor.
  2. From here, navigate through to the following: User Configuration > Administrative Templates > Windows Components > Internet Explorer > Security Features > Add-on Management > Add-on List.

    Note: If you are using Windows Internet Explorer 11, navigate to the following path:

    Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Security Features > Add-on Management > Add-on List.

  3. Double-click the Add-on List setting and click the Show... button under Options. The Show Contents window appears.
  4. Add the following Class IDs under Value Name (including the brackets):

    OktaBHO Class is Class ID: {E411779C-5CFE-413F-A57B-18C55A4EFADA}

    OktaIeHelper Class is Class ID: {302700E7-59EF-49EC-9439-EA590552D1ED}

    Okta Toolbar Extension is Class ID: {8C938A58-9A96-4A95-929D-C8C28C639C32}

    The BHO (browser helper object) is an IE plugin module that provides added functionality to the browser. OktaBHO is a custom BHO from Okta. OktaIeHelper and Okta Toolbar Extension are other types of BHO, and are also customized by Okta.
  5. Enter "1" under the Value column, as shown below:
  6. Deploy this policy to your target machines.

Now users will not be prompted to enable or disable the plugin process when going through a silent installation.

Installation Options

There are several installation options for the IE 5.x plugin. Which options to chose depend on how much control is desired for the installation process and how fluid you would like the install to appear to the end-user. Use the chart below to consider the best method of installation for your org.


Installation Verification

After you have successfully installed your plugin, you can verify that it is successfully enabled. For details, see Verifying IE Plugin Enablement.

Internet Explorer 9 Security Settings

If you've set your Internet Explorer 9 Security level zone settings to High, you'll need to make a few security zone modifications in order for the Okta plugin to work.

  1. Open Internet Explorer and select Tools > Internet Options.
  2. Select the Security Tab, and click the Custom Level button.
  3. Under ActiveX controls and plugins, go to the Run ActiveX controls and plugins section and select Enable.
  4. In the Script ActiveX controls marked safe for scripting section, select Enable.

    Internet zone security settings
  5. In the Scripting section, under Active Scripting, select Enable.