Okta Browser Plugin: Security Features
The Okta Browser Plugin provides several features to enhance the security of your end usersEnd users are people in your org without administrative control. They can authenticate into apps from the icons on their My Applications home page, but they are provisioned, deprovisioned, assigned, and managed by admins.' credentials.
The plugin uses SSL to obtain your credentials from Okta. When you start an Okta-managed appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. that requires the plugin, the Okta Browser Plugin pop-up banner offers to let Okta auto-fill your credentials. If you accept, the plugin obtains your credentials from Okta using SSL. If you have the automatic submission option selected, this process occurs automatically.
AuthenticationAuthentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual. Authentication methods and protocols include direct auth, delegated auth, SAML, SWA, WS-Fed, and OpenID Connect. is a background process in which your credentials are stored temporarily in a place that is inaccessible to the app's sign-on page. The plugin attempts to simulate the process of completing the sign-on page by inserting your credentials into the page, submitting them, and then deleting them after the page redirects. This connection is HTTPS or HTTP depending on the target URL of the app.
Use HTTPS when configuring an app.
SSL certificate pinning (Internet Explorer)
The Okta Browser Plugin for Internet Explorer supports SSL pinning to protect against MiTM attacks. A
successful MiTM attack might be able to sniff user credentials, session identifiers, and other sensitive
information. Using SSL pinning, the Okta Browser Plugin for Internet Explorer maintains – or pins – a list of
previously-validated and trusted server certificates. When the user browses to a website, the plugin
retrieves the site's certificate and compares it to its list of trusted server certificates. If the
comparison fails, Okta denies connection to
prompts the user to contact Okta Support.
Configure your environment to work with the Plugin (Internet Explorer)
If your enterprise uses web proxies to perform SSL interception or employs other data loss prevention strategies, you need to configure your environment to work with the Okta Browser Plugin for Internet Explorer.
Configure the Okta Browser Plugin for Internet Explorer as follows:
- In the Windows registry editor, go to
- Create a new
DWORD (32-bit)value called
- Set the value to
Certificate pinning should only be disabled for scenarios where orgs are using web proxies to intercept SSL traffic.
We do NOT recommend turning it off for any other reason than this.
URL string matching
The Okta Browser Plugin checks the strings in your app's URL to ensure that they match the strings Okta has in the integration details for that app. This ensures that your credentials are submitted to the correct URL.
The table below displays the strings that the plugin looks for, whether or not the string is required, and what format the plugin expects to see.
|protocol||https||Required||Must be identical.|
|host||www.yoursite.com||Required||Must be identical.|
|port||:1802||Optional||Must be identical if available.|
|path||/login||Optional||Must start with the same string.|
|anchor||#yoursite||Optional||Must be identical.|
|query parameters||?yoursite=bar&baz=buzz||Optional||The order of your query parameters might vary.|