OIDC app integrations
OpenID Connect (OIDC) is an industry-standard authentication layer built on top of the OAuth 2.0 authorization protocol. The OAuth 2.0 protocol provides security through scoped access tokens, and OIDC provides user authentication and single sign-on (SSO) functionality. Within the OIDC workflow, Okta can act as both the Identity Provider (IdP) or as the Service Provider (SP), depending on your use case.
Admins can browse the OIN catalog and use the filter to search for app integrations with OIDC as a functionality. When added to an org and assigned to an end user by an admin, the OIDC-enabled app integration appears as a new icon on the Okta End-User Dashboard.
Okta as Identity Provider
Okta can integrate with OIDC applications by acting as an IdP that provides SSO to external applications. Okta additionally supports MFA prompts to improve your application security.
- The user requests access to a client application.
- The application delegates the user authentication and redirects the user to Okta for authentication. The application requests a token from Okta to establish the user session.
- Acting as the IdP, Okta uses Multifactor Authentication (MFA) and SSO credentials to authenticate the user. Okta verifies the user, and if successful, prompts the user to grant access to the application.
- If the user grants access, Okta generates an ID token containing the user identity information that the application can access.
- Okta returns the authenticated user to the application.
Okta as Service Provider
Okta can also serve as the SP, where it consumes single sign-on authentication from other SSO solutions like IBM Tivoli Access Manager, Oracle Access Manager, or CA SiteMinder, for example.
In this scenario, if a user tries to sign in to Okta, they are redirected to an external IdP for authentication. After the user has successfully authenticated, the external IdP returns the OIDC token which is then passed through the user’s browser to access the Okta services.
- The user opens Okta in a browser to sign in to their cloud or on-premises app integrations.
- Okta acts as the SP and delegates the user authentication to the external IdP.
- The external IdP acts as an authorization server for Okta.
- The IdP authenticates the user and sends an ID token back to Okta.
- Okta validates the OIDC token from the external IdP and, if necessary, enforces MFA for user authentication. Users can be created in Okta using Just-In-Time provisioning if required.
Users, client applications, and external IdPs can all be located on your intranet and behind a firewall, as long as the end user can reach Okta through the internet.