Configuring Firewall Whitelisting

A whitelist provides access to specified IP addresses and programs when your Security policy would otherwise prevent that access. If your server policy allows all outbound http/https communication to any IP address or website, you do not need to make any changes. However, if your server policy denies access to most or all external IP addresses and websites, you must configure a whitelist to enable some features to work.

For domainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https)., port, and troubleshooting information, see Implementation Details below.


Okta IP Addresses

In order to ensure connectivity to Okta for all Okta agents and end usersIn Okta literature, we generally refer to "end users" as the people who have their own Okta home page (My Applications), using chiclets to authenticate into all of their apps. End users do not have any administrative control. When we refer to "users" we are generally referring to the individual(s) who have administrative control., add the Okta system IP addresses to your whitelist based on this list:

Okta Whitelisted IP Ranges

IP addresses in this list are grouped by the following:

  • Production (us_cell_1 - us_cell_7)
  • Production EMEA (emea_cell_1)
  • Production EMEA (emea_cell_2)
  • Production HIPAA (us_cell_5)
  • Production APAC (apac_cell_1)
  • Preview (preview_cell_1)
  • Preview EMEA (preview_cell_2)

We recommend viewing this file with an online JSON viewer of your choice. The Okta Whitelist IP ranges can also be obtained by super admins who need to maintain the IP whitelist.

Note: Okta whitelisted IP addresses may need to be added to your inbound firewall rules for Okta to communicate successfully with any installed agents that are located on your internal network.

For IP address ranges that can be whitelisted for CDN, refer to Amazon Web Services.


Implementation Details

The following information helps you configure whitelisting for your orgs.


The Okta service uses SSL/TLS for all communication. If your policy requires a port number, port 443 must be whitelisted for the IP addresses provided in this document, unless otherwise noted.

Required Okta Domains

If your company whitelists domains, add the following domains to your list of allowed domains:


Content Delivery Network (CDN)

Okta's static UI assets (JavaScript, CSS and images) can be delivered to browsers through an international CDN rather than dedicated servers located in the United States. This allows assets to download much faster, especially for customers outside of the U.S.

For most firewall or proxy systems, we recommend that you specify a whitelist of DNS addresses for Okta services so that outbound connections can be made. For a list of current IP ranges for the content delivery network (CDN), refer to Amazon Web Services.

Certificate Revocation Troubleshooting

Various problems can arise when attempting to revoke a certificate. For example, some clients will fail to connect to SSL/TLS endpoints when they are unable to reach a revocation server. If you experience trouble with certificate revocation, ensure that you have the following domain names whitelisted under port 80:


Third Party Services

Okta Mobile may require whitelisting of the following third party domains for outbound connections to these services: