The Applications Page
The Applications menu contains options that allow you to assign applications to users individually or for groups. For an overview of these functions, see Applications.
To open the Applications page
- From the Admin Dashboard, click to the Applications drop-down menu.
- Choose Applications.
- Top buttons allow you to easily add (Add Application button) and assign (Assign Applications button) applications for your end users.
- Clicking the Active or Inactive tabs under the Status column displays your org's active and inactive apps, respectively.
- The More button reveals the Refresh Application Data function, which works with provisioning to sync roles, profiles, and groups data from configured apps into Okta.

The Okta Integration Network (OIN) comes pre-integrated with thousands of applications. These apps appear on each end user's My Applications or Home page for Single Sign On (SSO). As an admin, you can add and assign these applications to your end users. Use the Add Application button to add applications to your system, assign them to users, and configure your sign-on and group settings.
If the application that you want to add does not already exist in the Okta Applications Network, create it with the App Integration Wizard (AIW)
The verification status and supported properties is displayed for each app, as detailed below:
- Okta Verified indicates that the app was created either from the OIN or by Okta community users, then tested and verified by Okta.
- Community Created means the app was created by the Okta community, but has not yet been tested and verified by Okta.
- SAML indicates that the app supports SAML.
- Provisioning indicates that the app supports one or more of the following provisioning features: push profile updates, push user deactivation, reactivate users, and/or push pending users.
You can also filter for SAML and provisioning properties.
To add an application:
- From the Admin Dashboard, click to the Applications drop-down menu.
- Choose Applications.
- Click Add Application.
- Use the catalog search bar to look for the pre-built app integration that you want to add to your org.
If the integration that you want is not in the OIN catalog, click Create New App to launch the Create a new Okta app integration (AIW). The AIW allows administrators to create a custom application which can be deployed in your org.
- Click Add next to the app that you want to add.
- Enter the required information under General Settings, and then click Next.
- Configure the settings on the Sign-On Options page:
- Choose your sign on method – The available options are
usually SWA, SAML, or both (depending on what the app
supports). Other possibilities include WS-FED and certain custom sign on modes such as Amazon AWS IAM
Role.
- Secure Web Authentication – When you
select the SWA option, Okta signs into the application for each
user. This method does not prevent users from signing into the
application directly. For more information about configuring SWA
apps, see Overview of Managing Apps and SSO.
Note: If you select SWA and then select the User sets username and password option in the credentials setting, your users initially choose their own usernames and passwords. Note the following about this option:
- You must select the User sets username and password option if you want to allow end users to take advantage of the Generate a random password feature.
- If users are unassigned from the app and then later reassigned
to it, they must reenter their username and password. Users can be
unassigned from an app in the following ways:
- The user is deactivated in Okta.
- The user is removed from a group that is assigned to the app.
- The user no longer appears in imports after being deactivated in the app.
- The organizational unit (OU) that contains the user has been deselected.
- SAML 2.0 – When you select this
option, Okta applies a federated approach to user authentication. All
apps that can be configured using SAML have inline instructions that
guide you through the configuration.
Note: Ensure that you add Okta to your browser's allow list for 3rd-party cookies to prevent errors in your integrations. See Allow Third-Party Cookies for detailed instructions.
- No Sign On – Select this option when adding or configuring mobile apps that don't require any sign on information. Note that if you select this option, only relevant App Settings options are shown under the General tab.
- Secure Web Authentication – When you
select the SWA option, Okta signs into the application for each
user. This method does not prevent users from signing into the
application directly. For more information about configuring SWA
apps, see Overview of Managing Apps and SSO.
- Who sets credentials – Specifies who sets the password and username credentials.
- Default Username – Choose the format to use as the default username value when assigning the application to end users.
- Choose your sign on method – The available options are
usually SWA, SAML, or both (depending on what the app
supports). Other possibilities include WS-FED and certain custom sign on modes such as Amazon AWS IAM
Role.
- Click Done.
To configure additional settings for the new app, cycle through its tabs.
General
Access and configure general settings, including:
- App Settings – Configure application-specific settings such as the application label and visibility.
Auto-launch
- Applying this option only affects newly assigned users. Users who are already assigned the app integration need to open the settings for the tile in their End-User Dashboard. In the General tab, select Launch this app when I sign in to Okta.
- On apps where auto-launch is enabled here (under the General tab) or by end-users, signing in may cause more than one instance (an additional tab or window) of the app to appear. This is expected behavior. You may safely close any unwanted tabs or windows.
- VPN Notification – This feature alerts end users when a VPN connection is required to connect to VPN-required apps. When end-users click on an enabled app, a notification displays before the app is launched. You can customize the notification to remind users about VPN requirements. For more information, see VPN Notification.
- App Embed Link – Use this section to retrieve an embed link for the application, redirect users to a custom error page, and redirect users to a custom login page.
Note: The VPN notification does not appear if the end user has selected the Auto-launch option in the app chiclet General settings.
Screenshot
Sign On
After you go through the wizard, you can return to the Sign On tab to configure or change sign-on settings. Available options vary by application. You can configure your sign-on methods, credentials details (Application username format; Password reveal), and configure sign-on policies on this tab.
Provisioning
If enabled, allows you to automate user account creation, deactivation, and updates for the app. For more about provisioning, see Provisioning and Deprovisioning Overview.
Import
Assign the app to users you import from an available list of users, or from a CSV file. For details, see Import users.
Assignments
Use the Assign button to assign people and groups to the new app. Use the left-side Filters panel to view them.
Note: Because assigning users to apps individually is not very scalable, we recommend that you assign apps to users based on group. For more information, see Assigning Applications (below), or Importing and Using Groups in Okta.
Push Groups
Group push allows you to use your existing groups in Okta and push them to the app. Once a group is pushed, Okta automatically sends user membership changes to the corresponding group in the app. Requires API Authentication and Provisioning to be enabled for the app. For more information, see Using Group Push.
Mobile
Only available for OIN applications for which native apps have been tested to work with OMM policies. For more information, see Enabling Mobile Access to Applications.

When setting up or maintaining users, you can assign the applications you want to display on your end users' My Applications or home page. You can assign apps individually or for groups.
Assign individual applications:
There are two ways to assign individual apps.
Applications page
- From the Applications page, search or scroll down to the application you want to assign to one or more people/groups.
- Click the Action button drop-down menu.
- Choose Assign to Users or Assign to Groups.
Specific app
- From the Applications page, search or scroll down to the app you want to assign to one or more people/groups.
- Click the individual app to view its page.
- On the app specific page, click the Assign button.
- Choose either Assign to People or Assign to Groups. An Assign <app name> to People /Assign <app name> to Groups dialog appears listing available end users or groups who are not already assigned to the selected app.
- Click the Assign button next to each user or group for which you want this app assigned. For users, complete the Attributes page.
- Assign more users/groups, or click Done.
Assign applications for people and groups:
- From the Applications page, click Assign
Applications.
The Assign Applications page appears. On the left of this screen is a list of available Applications. On the right of the screen, there is a list of People in your org.
- From the list of available Applications, select the application(s) that you want to assign to users. Selecting the checkbox at the top of the list selects all listed applications
- From the list of People in your org, select the users to
whom you want to assign the selected application(s).
Selecting the checkbox at the top of the list assigns the
applications to all users.
To assign to group(s):
(a) Select Search by group in the drop-down menu next to the People search field.
(b) Enter the name of the group, then select the users.
- Click Next.
- Review the summary page and complete any additional information requested on the page.
- Click Confirm Assignments.
Manage assignments for an app
An enhanced app assignment screen is available that shows people and groups on the same screen with a toggle. From the Applications page, select an app and then click Assignments.
This is an Early Access feature. To enable it, contact Okta Support.
Note
If you enable provisioning for an app that already has users assigned to it, Okta will not be automatically provisioned these existing users. These non-provisioned users are distinguished with a warning symbol. Click Provision Users to provision these users to the downstream app.
- To filter the display between Groups and Users, use the toggle buttons in the Filters column. Only users and groups to whom the app is already assigned are displayed.
- To assign the app to new users or groups, click the Assign button and select either Assign to People or Assign to Groups. Then, click Assign as desired from the list that appears.
- This screen displays an error message if an assignment cannot be completed. To edit an assignment, click the pencil icon next to the name. To delete an assignment, click the X icon.
Custom attribute handling
Any custom attributes that are set up for an app contain a default mapping. You can override the default mapping for an individual by adding a value for the attribute or reset the custom value to the default value automatically.
Example: For an app, you can set up a custom variable Nickname that is mapped by default to the Firstname field. For a user assigned to an app, you can enter a nickname and, if desired, reset the nickname to the default value.
Prerequisites: The custom variable must already be set up. See Add custom attributes to apps, directories, and identity providers.
To set the custom value, assign the individual to the app or edit an assigned user. In the edit panel, all custom variables appear, as shown below, but no value is displayed.
- To keep the default value, no action is necessary.
- To add a custom value, enter the value and click Save.
- To reset a custom value to the default value, click the reset icon below the value. The calculated default value for that user displays. When done, click Save.

You can convert the application access and user properties settings so that applications are managed and assigned through a group instead of individuals.
Converting assignments has the following effects:
- User properties are managed by the group. Changes at the group level are applied to all users managed by the group.
- Application access is managed by the group. Removing an application from the group removes the app from the user.
You can determine whether a user's application assignment is individually or group-managed by selecting the user on the People page. The assignment displays as Individual or shows the group name (shown as The New School below).
Prerequisites: You must have assigned the application to an existing group before you can convert any individual assignments.
To convert application assignments from individual to group, do the following:
- From your Dashboard, select Applications.
- From the list of apps, find the app you wish to convert.
- Click the Convert Assignments button
- Select the desired users and then click the Convert Selected button or, to convert all your users, click the Convert All button.
- Click Yes to confirm the change.
A confirmation message appears that provides the total number of converted users.

To embed an Okta-managed application in a portal or other external location by obtaining the embed link:
- Click the Action button drop-down menu
adjacent to the desired app. Choose Copy embed link to clipboard.
- The embed link URL is automatically copied. Paste it into your portal or other external location outside of Okta.
You can now sign into this app outside of Okta. To stop displaying the embed links, click Hide app embed links.
Note: Alternatively, you can obtain an embed link by selecting an application, selecting its General tab, and copying the URL provided in the Application Embed Link section.

If unauthenticated users attempt to access an Okta-managed application outside of Okta, you can redirect them to a default or custom login page.
- From the Applications page click an application.
- Click the General tab.
- Click Edit in the App Embed Link section.
- Select one of the following in the Application Login Page
section:
- Use the default organization login page – This is the default setting. Unauthenticated users are redirected to the Okta login page.
- Use a custom login page for this
application – If you select this option,
enter the URL to the custom login page. Okta will append
the relay state via a query parameter called fromURI.
Note: Your Service Provider must be configured to use a GET binding when validating the response. POST bindings are not supported.
The redirect URL to your custom login page will be url-encoded and look similar to this:
https://login.example.com?fromURI=https%3A%2F%2Fexample.okta.com%2Fhome%2Fsalesforce%2F0oa1i6eFhPeRNeI7Y0g4%2F24
- Click Save.

If end users attempt to access an app to which they are not assigned, you can configure Okta to automatically redirect them to Okta's default URL or a custom URL that you provide. Unassigned users are more likely to try to access apps if you embed app links in your portal or other sites outside of Okta.
- From the Applications page click an application.
- Click the General tab.
- Click Edit in the App Embed Link section.
- Select one of the following in the Application Access Error
Page section:
- Use the error setting on the global settings page – Select this option if you want to redirect unassigned users to the same default URL specified in the org-level (global) setting (Settings > Customization > Configure an Application Access error page).
- Use a custom error page for this application – Select this option if you want to redirect unassigned users of this app to a custom URL that you provide. This app-specific option overrides the default org-level setting described in the previous bullet.
- Click Save.

Note: This process only deactivates the app. The app remains under the Inactive tab unless it is permanently deleted, as detailed in Delete an app below.
- From the Dashboard, select Applications.
- From under the Status column, click the Active tab to find the app you want to deactivate.
- From the Action button drop-down menu,
choose Deactivate.
After the app is deactivated, any users who are currently signed in receive an error message when they try to access the app from their dashboard. The app is removed from the End-User Dashboard at the next sign in or if the browser page is refreshed.
If the app is activated again at a future point, the app icon appears on the End-User Dashboard when the dashboard is refreshed.

Caution: Deleting an app is permanent. Once an app is deleted, it is not possible to re-activate the app or its memberships.
- From the Dashboard, select Applications.
- Click the Inactive tab. (If the app you wish to permanently delete is currently active, you are directed to deactivate it first).
- From the Inactive drop-down menu, choose Delete.

You can add notes to apps during app creation or at any time to communicate with end users and other admins about apps. In addition to enhancing app deployment and usage, app notes can also reduce help desk calls, provide troubleshooting assistance, and increase end-user self service.
App notes facilitate the following types of communications:
- Application notes to end users – Allows admins to present helpful information to end users, such as the purpose of the app, who to contact for help, and links to information.
Screenshot
- Application notes to admins – Allows admins to share administrative details about apps with other Super, App, Read-only, and Mobile admins.
Screenshot
- Go to Applications.
- Click the app in which you want to add app notes.
- Click the General tab.
- Enter notes in the app note fields for end users and/or admins. If an app contains app notes for end users, an icon appears below the app chiclet on end user dashboards and an App Notes tab appears in app settings.
- Click Save.
Note
- Notes cannot exceed 250 characters, including spaces.
- To enter a link or an email address, simply type it in the field. These are converted to links in the admin-to-end user app note after you save it. Supported link protocols are http, https, and ftp.
- Admin-to-admin app notes are visible only to Super, App, Read-only, and Mobile admins.
- HTML tags are not supported.
- Custom OIDC apps are not supported.

You can customize an application logo by replacing it with your own image. The custom logo must meet the following requirements:
- Image type must be PNG, JPG, or GIF format
- Image size must be smaller than 1 MB in size
- For best results, use a PNG image with a transparent background, a landscape orientation, and use a minimum resolution of 420 x 120 pixels to prevent upscaling.
- From the Dashboard, select Applications.
- Locate and click the app whose logo you want to customize.
- Mouse over the app's current logo, then click the pencil icon.
- In the Edit Logo dialog box, click Browse to find the custom logo file, and then click Update Logo.
- Click Close. The updated logo is visible to all users who have been assigned this app.
To revert to the original image, follow the same steps to access the Edit Logo dialog box, and then click Reset logo.

These options allow you to manage the types of apps that your end users can add to their dashboard. It also lists the apps available for end users to request as well as the apps end users have added.

- Go to Applications > Self Service.
- Click Settings.
- In User App Requests click Edit to configure App Catalog Settings:
End users request apps by clicking Add Apps on their Home page.
- Allow users to add org-managed apps.
- Allow users to add personal apps.
- Allow user to email "Technical Contact" to request an app
Available Apps
Lists the apps currently configured for users to request. To add an app to this list, go to the app's Assignments tab and configure Self Service.

This tab lists the end user-added applications and the number of end users who added them.