Overview of Managing Apps and SSO

Okta enables you to provide SSOAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones. access to cloud, on-premise, and mobile applications. You sign into Okta and you can then launch any of your web apps without having to reenter your credentials. Okta establishes a secure connection with a user's browser and then authenticates the user to Okta-managed apps using one of two SSO integration methods:

Okta provides access to cloud apps with the Okta Integration Network (OINAn acronym for the Okta Integration Network. The OIN is comprised of thousands of public, pre-integrated business and consumer applications. As an on-demand service, OIN integrations are continuously validated, always up to date, and constantly growing both in number and capability. Okta performs a single integration with an ISV or SP, providing thousands of end users with point-and-click customization for their orgs.), a collection of thousands of supported applications. SSO protocols and provisioning APIs are maintained by Okta. The applications in the OIN can use SWA, SAML or OpenID, or proprietary APIs.

Okta also provides integrations for on-premise web-based applications. You can integrate on-premise apps using SWA for SSO, SAML toolkits, and support for provisioning and de-provisioning into applications that expose provisioning APIs publicly.

Okta provides integrations for mobile apps whether they are HTML5 web apps optimized for mobile platforms, Native iOS, or Android apps. You can access any web application in the OIN with SSO from any mobile device. Mobile web apps can use industry-standard SAML or Okta's SWA SSO technology. Native applications like Box Mobile can be integrated using SAML authentication for registration and OAuth for ongoing usage.

About SWA Apps

SWA was created for apps that do not support federated SSO. When you enable SWA for an appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in., end usersEnd users are people in your org without administrative control. They can authenticate into apps from the icons on their My Applications home page, but they are provisioned, deprovisioned, assigned, and managed by admins. see a link next to their app icon on their My Applications page. Selecting the link enables them to set up and update their credentials for that app. Okta stores the end user's credentials in an encrypted format using strong encryption combined with a customer-specific private key. When end users click an application icon, Okta securely posts their credentials to the app login page over SSL and the user is automatically signed in.

By configuring users' sign-in options, you can make their SWA credentials match their Okta credentials so additional sign-ins are not required after you have signed into Okta.

When you configure your sign-in options, you can set up SWA so that

  • User sets username and password
  • Administrator sets username and password
  • Administrator sets username, user sets password
  • Administrator sets username, password is the same as user's Okta password
  • Users share a single username and password set by administrator

Note: Sign-in options are not configurable when Sync Password is configured as a provisioning option.

User sets username and password

This option allows your users to initially choose their own usernames and passwords. Note the following about this option:

Administrator sets username and password

This second option on the Sign On tab provides the most robust level of adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. control. It allows the admin to set all usernames and passwords for an app instance, after which the credentials are never exposed to their Okta end-users. This option provides a way to shut off user access to the credentials of sensitive apps. For this to work, ensure that the user does not have an alternative way to reset their app's password. It is also useful for cases where admins must supply a new, obfuscated password to an Okta user - no active communication with the user is required.

To set the usernames and passwords for a particular SWA app, do the following:

  1. Outside of Okta, access the downstream app you wish to assign.

  2. Establish the username and password within the app.

  3. Return to Okta and access or create the app in the OIN.

  4. Choose the Sign On tab (or step) on the app page.

  5. Choose Administrator sets username and password, and then click the Next.

  6. Assign the app to users and assign their usernames and passwords.


  • The admin-created password can only be viewed when initially created. After sending, the password is no longer visible to the admin. To change the password, reset it first in the downstream app, and then reset it in Okta.

  • If the chosen app was previously assigned to an established Okta group, note that group members do require the individual, manual updates of usernames and passwords for each user.

  • The Password reveal feature is disabled when this option is selected because in this case end-users do not have access to their passwords.

Users share a single username and password set by administrator

Select this option if you have a single app license or a single app account (such as Twitter) that will be shared by multiple people in your organization.

To set the shared credentials for a shared app, do the following:

  1. Outside of Okta, access the downstream app you wish to assign.

  2. Establish the username and password within the app.

  3. Return to Okta and access or create the app in the OIN.

  4. Choose the Sign On tab (or step) on the app page.

  5. Choose Users share a single username and password set by the administrator, and then click Next.

  6. Assign the app to users.

Note: You can enable the Password reveal feature when this option is selected but it will only allow admins to reveal the shared password. End users cannot reveal shared passwords.

About SAML Apps

Okta provides integration toolkits to enable apps that are not in the OIN to support SAML. You can obtain SAML integration toolkits for .NET, Java, and PHP platforms.

SSO for Active Directory-Authenticated Web Apps

You can integrate on-premises web apps with Okta. On-premises web apps that use Active DirectoryActive Directory (AD) is a directory service that Microsoft developed for the Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. (AD) credentials for authentication do not use Integrated Windows Authentication (IWA), but instead require users to enter their AD credentials when they sign in on a browser. When you configure Okta to delegate authentication to AD, signing in to internal web apps can also be automated.

Here's how Okta enables SSO for AD-authenticated internal web applications:

  1. Configure Okta to delegate authentication to AD.
  2. Customer has on-premises apps authenticating to AD.
  3. Users sign in to Okta with AD credentials.
  4. Users access their internal web apps with SWA using AD credentials.
  5. The internal web apps authenticate users against AD.

Okta uses SWA to automatically sign users in to internal web apps. When you configure an internal web application to delegate authentication to AD (the same source to which Okta delegates authentication), Okta captures the user's AD password during the sign-in process and automatically sets that password for that user in any applications that also delegate to AD. This enables users to click a link to access these apps, and then sign in automatically. Okta synchronizes the AD password securely. If the password is later changed in AD, the change is captured when the user signs in to Okta, which immediately updates in the secure password store for that app, ensuring that the next sign-in attempt is successful.

About Template Apps

There are two common SWA template apps that you can use to create apps on demand - one that does a POST to a sign-in page (the Template App) and one that uses a plugin to POST (the Template Plugin App). These template apps allow you to create application integrations in real-time on a running system.

About the Browser Plugin

The Okta browser plugin enables you to automatically sign into applications that would otherwise require you to manually enter your credentials. For more information on the browser plugin, see About the Browser Plugin.

About Okta Mobile Apps

Okta Mobile uses SSO to extend its functionality to apps on your iPad or iPhone. The Okta Mobile application provides an embedded Okta browser and app menu. You can download and install the Okta Mobile app from the Apple App store. For more information on mobile apps and Okta Mobile, see Okta Mobile.

About the App Integration Wizard

You can use the App Integration Wizard to create your own app. The App Integration Wizard allows you to create custom SWA and SAML 2.0 apps. For more information on the App Integration Wizard, see Using the App Integration Wizard.