OIDC app integrations

OpenID Connect (OIDC) is an industry-standard authentication layer built on top of the OAuth 2.0 authorization protocol. The OAuth 2.0 protocol provides security through scoped access tokens, and OIDC provides user authentication and Single Sign-On (SSO) functionality. Within the OIDC workflow, Okta can act as both the identity provider (IdP) or as the service provider (SP), depending on your use case.

Admins can browse the OIN catalog and use the filter to search for app integrations with OIDC as a functionality. When added to an org and assigned to an end user by an admin, the OIDC-enabled app integration appears as a new icon on the End-User Dashboard.

Okta as the identity provider

Okta can integrate with OIDC apps by acting as an IdP that provides SSO to external apps. Okta also supports MFA prompts to improve your app security.

Okta as an OIDC identity provider.

  1. The user requests access to a client app.
  2. The app delegates the user authentication and redirects the user to Okta for authentication. The app requests a token from Okta to establish the user session.
  3. Acting as the IdP, Okta uses Multifactor Authentication (MFA) and SSO credentials to authenticate the user. Okta verifies the user, and if successful, prompts the user to grant access to the app.
  4. If the user grants access, Okta generates an ID token that contains the user identity information that the app can access.
  5. Okta returns the authenticated user to the app.

Okta as the service provider

Okta can also serve as the SP, where it consumes SSO authentication from other SSO solutions like IBM Tivoli Access Manager, Oracle Access Manager, or CA SiteMinder.

In this scenario, if a user tries to sign in to Okta, they're redirected to an external IdP for authentication. After the user has successfully authenticated, the external IdP returns the OIDC token, which is then passed through the user's browser to access the Okta services.

Okta as an OIDC service provider.

  1. The user opens Okta in a browser to sign in to their cloud or on-premises app integrations.
  2. Okta acts as the SP and delegates the user authentication to the external IdP.
  3. The external IdP acts as an authorization server for Okta.
  4. The IdP authenticates the user and sends an ID token back to Okta.
  5. Okta validates the OIDC token from the external IdP and, if necessary, enforces MFA for user authentication. Users can be created in Okta using Just-In-Time provisioning if required.

Users, client apps, and external IdPs can all be on your intranet and behind a firewall, provided that the end user can reach Okta through the internet.

Related topics

Create OpenID Connect app integrations

An OpenID Connect Primer - Okta Blog

OAuth 2.0 and OpenID Connect Overview - Okta Developer