Okta IP address allow listing

Note

Okta is focused on the adoption of inclusive language and communication. As part of this initiative, some long-standing industry terminology and expressions have changed.


An IP allow list (formerly whitelist) is used to provide access to selected IP addresses and programs that your network server policy could typically block.

  • If your server policy allows all outbound http/https communication to any IP address or website, you do not need to make any changes.
  • If your server policy denies access to most or all external IP addresses and websites, you must configure an allow list to enable some features to work.

For domain, port, and troubleshooting information, see Implementation Details.

 

Okta IP addresses

For proper connectivity to Okta for all Okta agents and end users, add Okta system IP addresses to your allow list based on this AWS-managed list:

Okta IP range allow list

IP addresses in this list are grouped by the following:

  • Production (us_cell_1 - us_cell_7, us_cell_10 - us_cell_12
  • Production EMEA (emea_cell_1)
  • Production EMEA (emea_cell_2)
  • Production HIPAA (us_cell_5)
  • Production APAC (apac_cell_1)
  • Preview (preview_cell_1 - preview_cell_3)
  • Preview EMEA (preview_cell_2)

We recommend viewing this file with an online JSON viewer of your choice. The Okta IP range allow list can also be obtained by super admins who need to maintain the IP allow list.

For IP address ranges that can be allow listed for CDN, refer to Amazon Web Services.

Note

Okta allow listed IP addresses may need to be added to your inbound firewall rules for Okta to communicate successfully with any installed agents that are located on your internal network.


Implementation

The following information helps you to configure and implement allow listing for your orgs.

Ports

The Okta service uses SSL/TLS for all communication. If your policy requires a port number, port 443 must be allow listed for the IP addresses provided in this document, unless otherwise noted.

Required Okta Domains

If your company allow lists domains, add the following domains to your list of allowed domains:

*.okta.com
*.mtls.okta.com
*.oktapreview.com
*.mtls.oktapreview.com
*.oktacdn.com
*.okta-emea.com
*.mtls.okta-emea.com
*.kerberos.okta.com
*.kerberos.okta-emea.com
*.kerberos.oktapreview.com

Content Delivery Network (CDN)

Okta static UI assets (JavaScript, CSS and images) can be delivered to browsers through an international CDN for faster downloading of assets to customers outside of the USA.

For most firewall or proxy systems, Okta recommends specifying an allow list of DNS addresses for Okta services so that outbound connections can be made. For a list of current IP ranges for the content delivery network (CDN), refer to Amazon Web Services.

Certificate Revocation Troubleshooting

Various problems can arise when attempting to revoke a certificate. For example, some clients will fail to connect to SSL/TLS endpoints when they are unable to reach a revocation server. If you experience trouble with certificate revocation, ensure that you have the following domain names allow listed under port 80:

ocsp.digicert.com
crl3.digicert.com
crl4.digicert.com

 

Third Party Services

Okta Mobile may require allow listing of the following third party domains for outbound connections to these services:

*.mapbox.com