About the Okta Browser Plugin
The Okta browser plugin enables you to automatically sign into applications that would otherwise require you to manually enter your credentials (e.g., applications that do not support SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IDP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on a chiclet, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated. or a direct form POST to a URL). Using the plugin enables you to use SSOAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones. for a broader range of applications. To enhance security, the plugin only works with trusted and verified sites. If you have not installed the browser plugin but you have one or more applications that require it, a notice is published on your applications page along with a link to the plugin installation file.
For download, see Download the Okta Browser Plugin
After you have installed the plugin
When you start an appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. from your Okta Home page, a new browser tab opens to the app's URL. The plugin uses an encrypted SSL connection to obtain authentication information and other required information from Okta, and then applies that information to the page. The plugin does not store your credentials after authentication is complete.
Browser plugins are updated frequently. You are prompted to install the latest version if necessary. For a history of the latest versions, see the Browser Plugin Version History page.
About Okta browser plugin functionality
The plugin provides the following functionality:
- Automatic app sign-in — If you navigate directly to the sign-in page of an Okta-enabled SWAAn acronym for Secure Web Authentication. SWA is a SSO system developed by Okta to provide single sign-on for apps that don't support proprietary federated sign-on methods or SAML. Users can enter their credentials for these apps on their homepage. These credentials are stored such that users can access their apps without entering their credentials each time. When users first sign-in to a SWA app from their homepage, they see a pop-up message asking if they were able to sign-in successfully. app, the Okta plugin automatically inserts your credentials and logs you in without further interaction. We recommend that you enable this option for all your trusted SWA apps. This feature is a "per-app" setting and must be enabled individually for each app.
- Automatically initiate an Okta login — If you are not logged into Okta and navigate directly to an application that is Okta-enabled, a popup banner appears with a login button. When you attempt to login, an Okta window is launched and you can log into the app without having to navigate to the Okta homepage.
- Automatically fills in credentials on sign-in pages — If you navigate directly to the sign-in page of an Okta-enabled SWA app, the popup banner provides an option to autofill your credentials if you have not enabled automatic app sign-in.
- Automatically inserts passwords on "password update" pages — When you are on a "password update" page of an Okta-enabled SWA app, the popup banner can automatically insert your current password.
- Monitors password updates — Monitors when you change your password in an Okta-enabled SWA app, then offers you the option to update Okta with your new password.
- AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. link — An Admin link is available in the Your Apps dialog when an admin is logged in to Okta. The link allows admins to jump immediately to the Admin Dashboard.
- End usersIn Okta literature, we generally refer to "end users" as the people who have their own Okta home page (My Applications), using chiclets to authenticate into all of their apps. End users do not have any administrative control. When we refer to "users" we are generally referring to the individual(s) who have administrative control. can switch between multiple Okta accounts — Signed-in end users are prompted to trust or reject subsequent Okta accounts the first time they access those accounts. Over time, end users create an easily accessible list of their Okta accounts through the Okta Plugin icon. For details, see Switch between multiple Okta accounts using the plugin.
Note: Do not select the option Never remember history in the Firefox browser, as doing so it makes the Okta browser plugin inoperative.
Enable the Okta browser plugin functionality
The Okta Browser Plugin functionality is automatically enabled for the Everyone group. To change that, do the following:
- From the Settings tab, select the Customization tab.
- In the Browser Plugin section, select Edit and enter in the groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. you want to enable this feature for.
- Select Save.
The Okta Browser Plugin provides several features to enhance the security of your users' credentials.
The plugin uses SSL to obtain your credentials from Okta. When you start an Okta-managed app that requires the plugin, the Okta Plugin popup banner offers to let Okta autofill your credentials. If you accept, the plugin obtains your credentials from Okta using SSL. If you have the automatic submission option selected, this process occurs automatically.
AuthenticationAuthentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual. Authentication methods and protocols include direct auth, delegated auth, SAML, SWA, WS-Fed, and OpenID Connect. is a background process in which your credentials are stored temporarily in a place that is inaccessible to the app's sign-on page. The plugin attempts to simulate the process of completing the sign-on page by inserting your credentials into the page, submitting them, and then deleting them after the page redirects. This connection is HTTPS or HTTP depending on the target URL of the app. We highly recommended you use HTTPS when configuring an app.
SSL Certificate Pinning (Internet Explorer)
The Okta browser plugin for Internet Explorer supports SSL pinning to protect against MiTM attacks. A successful MiTM attack might be able to sniff user credentials, session identifiers, and other sensitive information. Using SSL pinning, the Okta IE browser plugin maintains – or pins – a list of previously-validated and trusted server certificates. When the user browses to a website, the plugin retrieves the site's certificate and compares it to its list of trusted server certificates. If the comparison fails, Okta denies connection to *.okta.com and *.oktapreview.com and prompts the user to contact Okta Support.
Important note: If your enterprise uses web proxies to perform SSL interception or employs other data loss prevention strategies, you need to configure your environment to work with the Okta IE browser plugin.
URL string matching
The plugin checks the strings in your app's URL to ensure that they match the strings in Okta's integration details for that app. This ensures that your credentials are submitted to the correct URL. The table below displays the strings that the plugin looks for, whether or not the string is required, and what format the plugin expects to see.
|protocol||https||Required. Must be identical.|
|host||www.yoursite.com||Required. Must be identical.|
|port||:1802||Optional. Must be identical if available.|
|path||/login||Optional. Must start with the same string.|
|anchor||#yoursite||Optional. Must be identical.|
|query parameters||?yoursite=bar&baz=buzz||Optional. The order of your query parameters might vary.|