Enable Self Service request feature

The Self Service feature takes the burden of granting access to app integrations from your IT staff. Administrators can delegate the process to business application owners by specifying a workflow composed of users or groups who can approve and grant access to requested app integrations.

After admins enable the components of the Self Service feature, end users can request app integrations directly through their Okta End-User Dashboard. Admins can activate the Self Service components that provide the best fit for their organizational requirements and desired end-user experience.

An org-managed app integration is an integration that has been added to the Okta org by admins and configured to work with an external application. The back-end connection between Okta and the external application typically consists of Security Assertion Markup Language (SAML) or OpenID Connect (OIDC) for Federated Single Sign-On (SSO). Additionally, user accounts can be provisioned to external applications using the System for Cross-domain Identity Management (SCIM) protocol. When an end user clicks the app integration tile on their End-User Dashboard, Okta authenticates the user according to the configured parameters, communicates with the external application, and then signs in the user to the external application. For end users to request an org-managed app integration, an admin must enable the Self Service request option for that app integration.

However, there are thousands of app integrations in the Okta app catalog. Some app integrations don't require additional Okta configuration to handle a user sign-in request. The only information exchanged with the external application is a username and password. These credentials are set by the end user the first time they click on the app integration tile. End users can add this type of app integration as a personal app integration.

Finally, end users can send an email to an org admin and request the addition of an app integration to the org. This app integration may be found in the app catalog or it may require creating a brand new app integration. However, as new integrations typically require additional back-end configuration between Okta and the external application, users can't add these as personal app integrations.

About admin roles for this task

The administrator running this task must be a super admin for the Okta org.

Before you begin

The admin must sign in to the Okta Admin Console.

Start this task

To activate the Self Service feature for your org:

  1. In the Admin Console, go to Applications > Self Service.
  2. Click Settings.
  3. In User App Requests, click Edit to change App Catalog Settings.

    There are three available options:

  4. Click Save.

Allow users to add org-managed app integrations

This option allows users to add org-managed app integrations to their End-User Dashboard. End users can click Add apps on their dashboard to add these org-managed apps. A user can request any app integration that your org has added and has the Self Service feature enabled.

Admins can see all of the app integrations with the Self Service feature enabled on the Applications > Self Service page. To add an app integration to the Available Apps list, the admin must go to the Assignments tab for the app integration and configure the Self Service option. See Configure Self Service approval workflow.

The Approval column of the Available Apps pane indicates if additional approval is required before the app integration can be assigned to the end user:

  • On: This means the end user must submit a request through their Add Apps interface and an admin or assigned approver evaluates and approves the request.
  • Off: This means the end user does not require approval to get access to the app integration. Okta adds the app integration to their dashboard without any involvement from an admin or an assigned approver.

Allow users to add personal app integrations

This option allows users to add a personally configured app integration, which means the external application doesn't require Okta to manage the sign-in request. The only information passed from Okta to the external application is the username and password which are set by the end user the first time they click the app integration tile.

An end user can add any app from the Okta app catalog that is not already managed by their org and that only requires a username and password for account creation.

Allow users to email "Technical Contact" to request an app integration

This option allows an end user to email the "Technical Contact" to request that an app integration be added to the org.

Before selecting this option, make sure that you have configured the email alias for the Technical Contact. To change the technical contact used in this request:

  1. In the Admin Console, go to Settings > Account.
  2. On the End User Support pane, click Edit.
  3. In the Technical contact field, type the name or email address of the individual account that receives the end user requests to add a new app integration. The user account must exist in your Universal Directory with a valid email address.
  4. Click Save.

When enabled, this option adds a button labeled Request an app to the footer of the End-User Dashboard.

The screenshot shows the Request an app button at the bottom of the Okta dashboard.

When end users click Request an app, Okta displays a dialog containing a text field. End users can then provide details about the app integration that they would like the admins to add to the org.

The screenshot shows the dialog displayed by the Request an app button at the bottom of the Okta dashboard.

Next steps

Configure Self Service approval workflow

Add app integrations as an end user

Handle app integration requests