Okta Mobile Safari Extension
The Okta Mobile Safari Extension lets Okta Mobile end usersIn Okta literature, we generally refer to "end users" as the people who have their own Okta home page (My Applications), using chiclets to authenticate into all of their apps. End users do not have any administrative control. When we refer to "users" we are generally referring to the individual(s) who have administrative control. SSOAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones. in to SWAAn acronym for Secure Web Authentication. SWA is a SSO system developed by Okta to provide single sign-on for apps that don't support proprietary federated sign-on methods or SAML. Users can enter their credentials for these apps on their homepage. These credentials are stored such that users can access their apps without entering their credentials each time. When users first sign-in to a SWA app from their homepage, they see a pop-up message asking if they were able to sign-in successfully. and SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IDP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on a chiclet, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated. apps directly from Safari without having to open Okta Mobile.
Note: This functionality requires iOS Okta Mobile v. 5.6 or above.
- When a mobile end-user clicks a link within an email to an appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in., the app typically opens in Safari. Users gain immediate access to their apps even if they were not previously signed in to their Okta Mobile account. User experience is improved with access to these deep links directly from an email.
- End users can perform SPAn acronym for service provider. Generally, an SP is a company, usually providing organizations with communications, storage, processing, and a host of other services. Within Okta, it is any website that accepts SAML responses as a way of signing in users, and has the ability to redirect a user to an IdP (e.g., Okta) to begin the authentication process.-initiated sign on to SWA and SAML apps in Mobile Safari.
- Admins can enable or disable this function for SAML apps.
- From the AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. Dashboard, go to Security > General.
- Scroll down to the Okta Mobile section.
- Under Okta Extension for iOS, note the Sign on to SAML apps check-box.
The Sign on to SAML apps setting allows the Safari Extension to share the Okta Mobile session with Safari. The session lasts for 2 minutes and is then dropped. An end user can sign in to SAML apps by entering only their Okta Mobile PIN (assuming Okta Mobile has a valid session with Okta).
This option is enabled by default. Disable it if you don't want to allow seamless SAML access to Safari. When disabled, only SWA apps are accessible via the extension. A message is presented to end users indicating that SAML apps are not supported in their Safari mobile browser.
To enable the Okta Mobile Safari Extension, end users must perform a one-time configuration.
- Tap the open-in icon at the bottom of the Mobile Safari browser.
- Swipe right to reach the end of the options, then tap More.
- Locate the Okta Mobile Safari Extension, enable it, then drag it to the top of the list.
The extension appears when you tap the open-in icon in Mobile Safari.
If an end user is using Mobile Safari, they can use the extension to fill their sign-on forms.
- In Mobile Safari, open the sign-on page of an app, such as Atlassian Cloud. Tap the open-in icon.
- Select the Okta extension.
Do the either of following depending on whether you are signed-in to Okta Mobile:
If signed into Okta
Confirm your Okta pin, then wait for your credentials to load.
If not signed into Okta
- The Okta sign on screen appears. Enter your credentials, including MFA (if configured).
- You are prompted to create, then confirm a new Okta PIN.
- Wait for your credentials to load.
- Tap the app.
The credentials are auto-populated and you are signed in.