The Applications Page

The Okta Integration Network (OINAn acronym for the Okta Integration Network. The OIN is comprised of thousands of public, pre-integrated business and consumer applications. As an on-demand service, OIN integrations are continuously validated, always up to date, and constantly growing both in number and capability. Okta performs a single integration with an ISV or SP, providing thousands of end users with point-and-click customization for their orgs.) comes pre-integrated with thousands of applications. These apps appear on each end user's My Applications or Home page for Single Sign On (SSOAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones.). As an admin, you can add and assign these applications to your end users. Use the Add Application button to add applications to your system, assign them to users, and configure your sign-on and group settings.

If the application that you want to add does not already exist in the Okta Applications Network, create it with the App Integration Wizard (AIW)

The verification status and supported properties is displayed for each appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in., as detailed below:

• Okta VerifiedEach integration in the Okta Integration Network has one of the following status designations: Okta Verified, Community Created, or Community Verified. Integrations receive Okta Verified status: 1) if the integration is Okta-built, and is then tested and verified by Okta; or 2) if the integration is ISV-built (partner-built), and is then tested and verified by Okta. indicates that the app was created either from the OIN or by Okta community users, then tested and verified by Okta.
• Community CreatedEach app found on the Okta Applications Page has either an Okta Verified, Community Created, or Community Verified designation. Community Created means that the app was created by the Okta community, but has not yet been tested and verified by Okta. means the app was created by the Okta community, but has not yet been tested and verified by Okta.
• SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IdP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on an app, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated. indicates that the app supports SAML.
• Provisioning indicates that the app supports one or more of the following provisioning features: push profile updates, push user deactivation, reactivate users, and/or push pending users.

You can also filter for SAML and provisioning properties.

To add an application:

1. From the Admin Dashboard, click to the Applications drop-down menu.
2. Choose Applications.
3. Click Add Application.
4. Use the alphabetical navigation bar and the search and filtering tools to look for the pre-integrated app that you want to add to your org.

   AIW — If the app you want is not in the OIN, click Create New App to launch the App Integration Wizard (AIW). The AIW allows you to create a custom app (which is a different workflow than the workflow described in this procedure).

   Clone an app — You can clone apps that already have been created in your org. Cloning copies all the settings of the original app to an app with a different name. After cloning, you can modify settings, as needed. To clone an app, click Apps you created under the Create New App button, and then click Clone.

5. Click Add next to the app that you want to add.
6. Enter the required information under General Settings, and then click Next.
7. Configure the settings on the Sign-On Options page:
   • Choose your sign on method – The available options are usually SWAAn acronym for Secure Web Authentication. SWA is a SSO system developed by Okta to provide single sign-on for apps that don't support proprietary federated sign-on methods or SAML. Users can enter their credentials for these apps on their homepage. These credentials are stored such that users can access their apps without entering their credentials each time. When users first sign-in to a SWA app from their homepage, they see a pop-up message asking if they were able to sign-in successfully., SAML, or both (depending on what the app supports). Other possibilities include WS-FED and certain custom sign on modes such as Amazon AWS IAM Role.
     • Secure Web AuthenticationAuthentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual. Authentication methods and protocols include direct auth, delegated auth, SAML, SWA, WS-Fed, and OpenID Connect. – When you select the SWA option, Okta signs into the application for each user. This method does not prevent users from signing into the application directly. For more information about configuring SWA apps, see Overview of Managing Apps and SSO.

       Note: If you select SWA and then select the User sets username and password option in the credentials setting, your users initially choose their own usernames and passwords. Note the following about this option:

       • You must select the User sets username and password option if you want to allow end users to take advantage of the Generate a random password feature.
       • If users are unassigned from the app and then later reassigned to it, they must reenter their username and password. Users can be unassigned from an app in the following ways:
         • The user is deactivated in Okta.
         • The user is removed from a group that is assigned to the app.
         • The user no longer appears in imports after being deactivated in the app.
         • The organizational unit (OUAn acronym of Organizational Unit. Organizational units are Active Directory containers into which you can place users, groups, computers, and other organizational units. It is the smallest scope or unit to which you can assign Group Policy settings or delegate administrative authority.) that contains the user has been deselected.
     • SAML 2.0 – When you select this option, Okta applies a federated approach to user authentication. All apps that can be configured using SAML have inline instructions that guide you through the configuration.

       Note: To prevent errors in your SAML integrations, ensure that Okta is whitelisted for 3rd-party cookies in your browser! For details, see here.

     • No Sign On – Select this option when adding or configuring mobile apps that don't require any sign on information. Note that if you select this option, only relevant App Settings options are shown under the General tab.
   • Who sets credentials – Specifies who sets the password and username credentials.
   • Default Username – Choose the format to use as the default username value when assigning the application to end users.
8. Click Done.

To configure additional settings for the new app, cycle through its tabs.

General

Access and configure general settings, including:

• App Settings – Configure application-specific settings such as the application label and visibility.

Auto-launch

• Applying this option only affects newly assigned users. This app will not launch automatically for users who are already assigned to it.
• On apps where auto-launch is enabled here (under the General tab) or by end-users, signing in may cause more than one instance (an additional tab or window) of the app to appear. This is expected behavior. You may safely close any unwanted tabs or windows.

• VPN Notification – This feature alerts end users when a VPN connection is required to connect to VPN-required apps. When end-users click on an enabled app, a notification displays before the app is launched. You can customize the notification to remind users about VPN requirements. For more information, see VPN Notification.

Note: The VPN notification does not appear if the end user has selected the Auto-launch option in the app chiclet General settings. Screenshot



• App Embed Link – Use this section to retrieve an embed link for the application, redirect users to a custom error page, and redirect users to a custom login page.

Sign On

After you go through the wizard, you can return to the Sign On tab to configure or change sign-on settings. Available options vary by application. You can configure your sign-on methods, credentials details (Application username format; Password reveal), and configure sign-on policies on this tab.

Provisioning

If enabled, allows you to automate user account creation, deactivation, and updates for the app. For more about provisioning, see Provisioning and Deprovisioning Overview.

Import

Assign the app to users you import from an available list of users, or from a CSV file. For details, see Import users from an app.

Assignments

Use the Assign button to assign people and groups to the new app. Use the left-side Filters panel to view them.

Note: Because assigning users to apps individually is not very scalable, we recommend that you assign apps to users based on group. For more information, see Assigning Applications (below), or Importing and Using Groups in Okta​.

Push Groups

Group push allows you to use your existing groups in Okta and push them to the app. Once a group is pushed, Okta automatically sends user membership changes to the corresponding group in the app. Requires API Authentication and ProvisioningProvisioning is the enterprise-wide configuration, deployment, and management of multiple types of IT system resources. Specifically, provisioning provides users access to equipment, software, or services. This involves creating, maintaining and deactivating required business process automation objects and attributes in systems, directories, and applications. to be enabled for the app. For more information, see Using Group Push.

Mobile

Only available for OIN applications for which native apps have been tested to work with OMMAn acronym for Okta Mobility Management. OMM enables you to manage your users' mobile devices, applications, and data. Your users enroll in the service and can then download and use managed apps from the Apps Store. Managed apps are typically work-related, such as Box or Expensify. As an administrator, you can remove managed apps and associated data from users' devices at any time. You can configure policies, such as data sharing controls, on any of your managed apps. See Configuring Okta Mobility Management for more information. policies. For more information, see Enabling Mobile Access to Applications.

When setting up or maintaining users, you can assign the applications you want to display on your end users' My Applications or home page. You can assign apps individually or for groups.

Assign individual applications:

There are two ways to assign individual apps.

Applications page

1. From the Applications page, search or scroll down to the application you want to assign to one or more people/groups.
2. Click the Action button drop-down menu.
3. Choose Assign to Users or Assign to Groups.

Specific app

1. From the Applications page, search or scroll down to the app you want to assign to one or more people/groups.
2. Click the individual app to view its page.
3. On the app specific page, click the Assign button.
4. Choose either Assign to People or Assign to Groups. An Assign <app name> to People /Assign <app name> to Groups dialog appears listing available end users or groups who are not already assigned to the selected app.
5. Click the Assign button next to each user or group for which you want this app assigned. For users, complete the Attributes page.
6. Assign more users/groups, or click Done.

Assign applications for people and groups:

1. From the Applications page, click Assign Applications.

   The Assign Applications page appears. On the left of this screen is a list of available Applications. On the right of the screen, there is a list of People in your org.

2. From the list of available Applications, select the application(s) that you want to assign to users. Selecting the checkbox at the top of the list selects all listed applications
3. From the list of People in your org, select the users to whom you want to assign the selected application(s). Selecting the checkbox at the top of the list assigns the applications to all users.

   To assign to group(s):

   (a) Select Search by group in the drop-down menu next to the People search field.

   (b) Enter the name of the group, then select the users.

4. Click Next.
5. Review the summary page and complete any additional information requested on the page.
6. Click Confirm Assignments.

Manage assignments for an app

An enhanced app assignment screen is available that shows people and groups on the same screen with a toggle. From the Applications page, select an app and then click Assignments.

• To filter the display between Groups and Users, use the toggle buttons in the Filters column. Only users and groups to whom the app is already assigned are displayed.
• To assign the app to new users or groups, click the Assign button and select either Assign to People or Assign to Groups. Then, click Assign as desired from the list that appears.
• This screen displays an error message if an assignment cannot be completed. To edit an assignment, click the pencil icon next to the name. To delete an assignment, click the X icon.

Additionally, custom attributes that are set up for an app contain a default mapping. You can now override the default mapping for an individual and enter a value for the attribute and reset the custom value to the default value automatically.

Example: For an app, you can set up a custom variable Nickname that is mapped by default to the Firstname field. For a user assigned to an app, you can enter a nickname and, if desired, reset the nickname to the default value.

Prerequisites: The custom variable must already be set up.

To set the custom value, assign the individual to the app or edit an assigned user. In the edit panel, all custom variables appear, as shown below, but no value is displayed.

• To keep the default value, no action is necessary.
• To add a custom value, enter the value and click Save.
• To reset a custom value to the default value, click the reset icon below the value. The calculated default value for that user displays. When done, click Save.

This is an Early AccessEarly Access (EA) features are opt-in features that you can try out in your org by asking Okta Support to enable them. Additionally, the Features page in the Okta Admin Console (Settings &gt; Features) allows Super Admins to enable and disable some EA features themselves. feature. To enable it, please contact Okta Support.

Federation Broker Mode allows for SSO without the need to pre-assign apps to specific users. Access is managed only by sign-on policy and the authorization rules of each app. This mode can improve import performance and can be especially helpful for larger-scale orgs that manage many users and/or apps.

This mode is a powerful option with some important considerations:

• This mode is only available for custom SAML Wizard and OIDCOpenID Connect (OIDC) is an authentication layer on top of OAuth 2.0, an authorization framework. The standard is controlled by the OpenID apps, not for those available in the OIN.

• Provisioning cannot be enabled while using this mode.

• This option is not appropriate for apps that require end-user access through the chicletsThe "buttons" that appear on an end user's Home page and represent each application they wish to access through Okta. Clicking the button allows the end user to instantly sign in and authenticate themselves into their chosen app. This term is obsolete and has been replaced by the term "app". of the Okta Homepage.

• Enablement of this option hides certain tabs that are no longer functional with this feature. Hidden tabs may include Provisioning, Imports, Group Push, and Mobile.
• This mode makes the app available to all users through SPAn acronym for service provider. Generally, an SP is a company, usually providing organizations with communications, storage, processing, and a host of other services. Within Okta, it is any website that accepts SAML responses as a way of signing in users, and has the ability to redirect a user to an IdP (e.g., Okta) to begin the authentication process.-initiated flows only—specific assignments are not possible. So, if an app was assigned prior to enabling this mode, any existing assignment data may be lost. Again, enabled apps do not appear on the Okta Homepage.
• The page under the Assignments tab of an enabled app no longer lists user assignments, as it is no longer subject to individual assignments.

• Enabled apps do not provide audit reporting.
• If you choose to disable this mode after implementation, you can restore previously created assignments.

To access Federation Broker Mode, go to the app page of a SAML Wizard or OIDC app.

1. From the Applications page, search or scroll down to the app you want to enable.
2. Click the individual app to view its page.
3. On the app page, click the Sign On tab.
4. Scroll down to the Federation Broker Mode section.
5. Click the Enable Federation Broker Mode button. Note the considerations listed for enabling this option.
6. After reading through the list, click the Enable Federation Broker Mode button to enable it.

Disabling Federation Broker Mode

If you should later choose to disable Federation Broker Mode, do the following:

1. From the Applications page, search or scroll down to the app you want to disable.
2. Click the app to view its page.
3. On the app page, click the Sign On tab.
4. Scroll down to the Federation Broker Mode section.
5. Click the Disable Federation Broker Mode button. Note that disablement is not immediate, but the app remains in federation broker mode to ensure that your end-users will not lose access while it completes disablement.

When completed, your previous tabs and assignments are restored.

You can convert application access and user properties settings so that individually owned applications become group managed. Converting assignments has the following effects:

• User properties are managed by the group. Changes at the group level are applied to all users managed by the group.
• Application access is managed by the group. Removing an application from the group removes the app from the user.

You can determine whether a user's application assignment is individually or group-managed by selecting the user on the People page. The assignment displays as Individual or shows the group name (shown as The New School below).

To convert application assignments from individual to group, do the following:

1. From your Dashboard, select Applications.
2. From the list of apps, find the app you wish to convert.
3. Click the Convert Assignments button
4. Select the desired users and then click the Convert Selected button or, to convert all your users, click the Convert All button.
5. Click Yes to confirm the change.

   A confirmation message appears that provides the total number of converted users.

To embed an Okta-managed application in a portal or other external location by obtaining the embed link:

1. Click the Action button drop-down menu adjacent to the desired app. Choose Copy embed link to clipboard.
2. The embed link URL is automatically copied. Paste it into your portal or other external location outside of Okta.

You can now sign into this app outside of Okta. To stop displaying the embed links, click Hide app embed links.

Note: Alternatively, you can obtain an embed link by selecting an application, selecting its General tab, and copying the URL provided in the Application Embed Link section.

If unauthenticated users attempt to access an Okta-managed application outside of Okta, you can redirect them to a default or custom login page.

1. From the Applications page click an application.
2. Click the General tab.
3. Click Edit in the App Embed Link section.
4. Select one of the following in the Application Login Page section:
   • Use the default organization login page – This is the default setting. Unauthenticated users are redirected to the Okta login page.
   • Use a custom login page for this application – If you select this option, enter the URL to the custom login page. Okta will append the relay state via a query parameter called fromURI.

     Note: Your Service Provider must be configured to use a GET binding when validating the response. POST bindings are not supported.

     The redirect URL to your custom login page will be url-encoded and look similar to this:

     https://login.example.com?fromURI=https%3A%2F%2Fexample.okta.com%2Fhome%2Fsalesforce%2F0oa1i6eFhPeRNeI7Y0g4%2F24

5. Click Save.

If end users attempt to access an app to which they are not assigned, you can configure Okta to automatically redirect them to Okta's default URL or a custom URL that you provide. Unassigned users are more likely to try to access apps if you embed app links in your portal or other sites outside of Okta.

1. From the Applications page click an application.
2. Click the General tab.
3. Click Edit in the App Embed Link section.
4. Select one of the following in the Application Access Error Page section:
   • Use the error setting on the global settings page – Select this option if you want to redirect unassigned users to the same default URL specified in the org-level (global) setting (Settings > Customization > Configure an Application Access error page).
   • Use a custom error page for this application – Select this option if you want to redirect unassigned users of this app to a custom URL that you provide. This app-specific option overrides the default org-level setting described in the previous bullet.
5. Click Save.

Note: This process only deactivates the app. The app remains under the Inactive tab unless it is permanently deleted, as detailed in Delete an app below.

1. From the Dashboard, select Applications.
2. From under the Status column, click the Active tab to find the app you want to deactivate.
3. From the Action button drop-down menu, choose Deactivate.

Caution: Deleting an app is permanent. Once an app is deleted, it is not possible to re-activate the app or its memberships.

1. From the Dashboard, select Applications.

2. Click the Inactive tab. (If the app you wish to permanently delete is currently active, you are directed to deactivate it first).

3. From the Inactive drop-down menu, choose Delete.

You can add notes to apps during app creation or at any time to communicate with end users and other admins about apps. In addition to enhancing app deployment and usage, app notes can also reduce help desk calls, provide troubleshooting assistance, and increase end-user self service.

App notes facilitate the following types of communications:

• Application notes to end users – Allows admins to present helpful information to end users, such as the purpose of the app, who to contact for help, and links to information. Screenshot



• Application notes to admins – Allows admins to share administrative details about apps with other Super, App, Read-only, and Mobile admins. Screenshot

1. Go to Applications.
2. Click the app in which you want to add app notes.
3. Click the General tab.
4. Enter notes in the app note fields for end users and/or admins. If an app contains app notes for end users, an icon appears below the app chiclet on end user dashboards and an App Notes tab appears in app settings.
5. Click Save.

You can customize an application logo by replacing it with your own image. The custom logo must meet the following requirements:

• Image type must be .png, .jpg, or, .gif (.png is recommended)
• Image dimensions can't exceed 140 x 40 px
• Image size must be less than 25k

1. From the Dashboard, select Applications.
2. Locate and click the app whose logo you want to customize.
3. Mouse over the app's current logo, then click the pencil icon.
4. In the Edit Logo dialog box, click Browse to find the custom logo file, and then click Update Logo.
5. Click Close. The updated logo is visible to all users who have been assigned this app.

To revert to the original image, follow the same steps to access the Edit Logo dialog box, and then click Reset logo.

These options allow you to manage the types of apps that your end users can add to their dashboard. It also lists the apps available for end users to request as well as the apps end users have added.