Enable SAML or OIDC authentication for supported apps
SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IdP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on an app, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated. and OIDCOpenID Connect (OIDC) is an authentication layer on top of OAuth 2.0, an authorization framework. The standard is controlled by the OpenID Foundation. are authentication protocols that reduce reliance on password-based authentication.
- SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdPAn acronym for Identity Provider. It is a service that manages end user accounts analogous to user directories such as LDAP and Active Directory, and can send SAML responses to SPs to authenticate end users. Within this scenario, the IdP is Okta.) and a service provider (SPAn acronym for service provider. Generally, an SP is a company, usually providing organizations with communications, storage, processing, and a host of other services. Within Okta, it is any website that accepts SAML responses as a way of signing in users, and has the ability to redirect a user to an IdP (e.g., Okta) to begin the authentication process.).
- OpenID Connect (OIDC) is a protocol that sits on top of the OAuth 2.0 framework. The OIDC protocol allows otherwise different systems to interoperate and share authentication state and user profile information.
- SWAAn acronym for Secure Web Authentication. SWA is a SSO system developed by Okta to provide single sign-on for apps that don't support proprietary federated sign-on methods or SAML. Users can enter their credentials for these apps on their homepage. These credentials are stored such that users can access their apps without entering their credentials each time. When users first sign-in to a SWA app from their homepage, they see a pop-up message asking if they were able to sign-in successfully. is a SSOAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones. system developed by Okta to provide single sign-on for apps that don't support proprietary federated sign-on methods or SAML. In a SWA login, the username and password are passed to the third party appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. whereas with SAML and OIDC, those credentials never leave Okta.
For more information, see Okta Applications.
HealthInsight: Why is this task recommended?
This a HealthInsight security task. For more security recommendations from Okta, see HealthInsight.
Leverage SAML and OIDC authentication protocols for supported apps in order to reduce reliance on password-based authentication.
End-user experience and impact
When signing in to their orgThe Okta container that represents a real-world organization., end usersEnd users are people in your org without administrative control. They can authenticate into apps from the icons on their My Applications home page, but they are provisioned, deprovisioned, assigned, and managed by admins. will be prompted to enroll in required factors and may enroll in any factors set to optional. Factors that have been disabled are not visible to end users.
To view a list of SAML-capable apps:
- From the adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. console, click Reports > Reports.
- Under Application Usage, click SAML Capable Apps.
- Generate a report to see a list of available apps that can be converted to SAML.
- To convert an app to be SAML or OIDC capable, click Convert to SAML.
- Click Edit.
- Change the SSO method to SAML or OIDC and follow the on-screen instructions to convert your app successfully.
- General Security
- Security Checklist
- Network Security
- Security Policies
- Multifactor Authentication