Security features of Okta Browser Plugin
The Okta Browser Plugin provides several features to enhance the security of your end users' credentials.
- Secure Sockets Layer (SSL) authentication
- SSL certificate pinning
- URL string matching
When you start an Okta-managed app integration that requires the plugin, a pop-up banner asks you if you want to have Okta automatically fill in your credentials. After you accept the prompt request, the plugin uses an SSL connection to pass your Okta credentials. If you have the automatic submission option selected, the plugin signs you in to the application without any further action.
Authentication takes place in the background. The plugin temporarily stores your credentials in a location that the application can't access. The plugin simulates the sign-in process by inserting and submitting your credentials to the sign-in page, but then deletes them after the page redirects. This connection uses either the HTTPS or HTTP protocol, depending on the target URL of the application.
For secure connections, always use the HTTPS protocol when configuring the location of an application.
SSL certificate pinning (Internet Explorer)
The Okta Browser Plugin for Internet Explorer supports SSL pinning to protect against man-in-the-middle (MITM) attacks. A MITM attack attempts to steal user credentials, session identifiers, or other sensitive information.
Using SSL pinning, the Okta Browser Plugin for Internet Explorer maintains a list of previously validated and trusted server certificates.
When the user goes to an application, the plugin retrieves the site certificate and compares it against the list of trusted server certificates. If the comparison fails, Okta denies the connection to *.okta.com and *.oktapreview.com orgs and prompts the user to contact Okta Support.
Okta no longer supports Internet Explorer. To use a supported browser, see Supported browsers for Okta Browser Plugin
Configure your environment to work with the plugin (Internet Explorer)
If your enterprise uses web proxies to perform SSL interception, you need to configure your environment to work with the Okta Browser Plugin for Internet Explorer.
- In the Windows registry editor, go to [HKEY_CURRENT_USER\Software\AppDataLow\Software\Okta\IE Plugin].
- Create a DWORD (32-bit) value called SkipCertPinning.
- Set the value to 1.
Disable certificate pinning only for scenarios where orgs are using web proxies to intercept SSL traffic. Okta doesn't recommend turning it off for any other scenarios.
URL string matching
The Okta Browser Plugin checks the strings in your application URL to ensure that they match the strings Okta has in the integration details for that app. This matching ensures that Okta submits your credentials to the correct URL.
|protocol||https||Required||Must be identical.|
|host||www.yoursite.com||Required||Must be identical.|
|port||:1802||Optional||Must be identical if available.|
|path||/login||Optional||Must start with the same string.|
|anchor||#yoursite||Optional||Must be identical.|
|query parameters||?yoursite=bar&baz=buzz||Optional||The order of your query parameters may vary.|
Okta Browser Plugin provides anti-phishing protection against non-trusted Okta orgs. The plugin trusts the first org you access, and if you access an unrecognized org, a popup appears with a security warning. Users are explicitly required to trust the org and give consent before accessing it.
Auto-Generate Strong Passwords
When creating or changing passwords for your SWA-based applications, Okta Browser Plugin auto-generates a strong password that users can use. This password is automatically saved to your Okta account.