This is an Early AccessEarly Access (EA) features are opt-in features that you can try out in your org by asking Okta Support to enable them. Additionally, the Features page in the Okta Admin Console (Settings > Features) allows Super Admins to enable and disable some EA features themselves. feature. To enable it, please contact Okta Support.
Settings > Customization
You can customize your Okta orgThe Okta container that represents a real-world organization. by replacing the Okta domainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https). name with a custom URL domain name that you specify. For example, if the URL of your Okta org is https://example.okta.com, you can configure a custom URL for the org such as https://id.example.com.
- Domain name
- Subdomain name. More
- TLS certificate for your subdomain (PEM-encoded)
- Private key (PEM-encoded)
- A valid TLS certificate is required to configure a Custom URL domain. Depending on your organization's policies, developers and administrators must have access to your organization's certificates or a certificate authority.
- If your org uses any of the following components, additional configuration may be required:
- Custom Authorization Servers for API management
- Issuer for OIDC clients
- Social IdPAn acronym for Identity Provider. It is a service that manages end user accounts analogous to user directories such as LDAP and Active Directory, and can send SAML responses to SPs to authenticate end users. Within this scenario, the IdP is Okta. Redirect
- Okta Verify
Okta uses CNAME DNS records to point to your Okta org. Because DNS does not allow you to set a CNAME record for a domain (for example, example.com), you must create CNAME records for subdomains (such as id.example.com).
- Currently, this feature is intended primarily for software developers integrating custom applications through the Okta API, but IT administrators provisioning apps to the Okta end user dashboard can configure a custom URL.
- Custom URL Domains are not supported for use the Okta Secure Web Authentication browser plugin.
After you modify your DNS records, it may take up to 24 hours for your changes to propagate. If your changes do not appear within 24 hours, return to the CNAME step in the wizard and confirm your settings.
- Depending on your registrar, you must enter either a long or short value for Host in the DNS step of the configuration wizard. If your registrar does not support the value you entered, verification will fail and your custom URL domain configuration will be incomplete.
- Certificate chain files can only contain keys 2048 bits in length.
- You must configure this feature in order for Okta's Custom Sign In Page and Custom Error Page features to work.
- Only one custom URL is allowed per Okta org.
- If you use Let's Encrypt to become familiar with this feature, be aware that their certificates are valid for only 90 days. For a more permanent TLS certificate, you must generate one yourself and have it signed by a provider like Namecheap.
If you are using the Custom URL feature and are integrating with one of the Okta agents, take note of the following:
- Agents: Need to be installed against the actual domain (example.okta.com) not the custom domain (example.customname.com). This applies to all agents.
- If using IWA SSOAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones.: You should customize the web.config file to include the custom url. It will continue to work without these customization, but it could cause confusion for your end user if they fail to sign in and end up on a different domain.
- If you are using Agentless DSSO: Since you can only specify one SPN when setting up Agentless DSSO, you should ensure all your sign in flows and browser bookmarks are using the URL you want ADSSO to use.
- Obtain the certificate and private key described in Prerequsites.
Go to Settings > Customization.
Scroll down to Custom URL Domain and then click Edit.
- The Continue button appears if the configuration is incomplete.
- The Update Certification button appears if a custom URL domain is already configured for your org. To delete the current configuration, click Restore to default.
- Click Get Started to start the configuration wizard.
- Enter your domain and sub-domain name. For example, id.example.com.
- Click Next.
- Copy the value provided in the Host column.
- Log in to your Domain Name registrar.
- Locate the option to modify your DNS records and add a TXT record by pasting the value you copied from the Host column.
- Wait for the DNS record to propogate (typically 1 - 5 minutes, but it may take longer), and then return to Okta and click Verify to prove to your Domain Name registrar that you have rights to use the domain name.
Note: After you modify your DNS records, it may take up to 24 hours for your changes to propagate. If your changes do not appear within 24 hours, return to this step and confirm your settings.
- If Verified appears, click Next.
- Paste your certificate in the Certificate field.
- Paste your private key in the Private Key field.
- If applicable to your environment (required for use with Okta Mobile for Android; see note below), Okta recommends that you enter a PEM-encoded certificate chain (if any) in the Certificate Chain field.
- Click Next.
- Return to your Domain Name registrar and again locate the option to modify your DNS records.
- Add a CNAME record and paste the Host (Name) and Data (Value) values provided in the CNAME table in Okta.
- Save your DNS record.
- To confirm that Okta is serving traffic over HTTPS (TLS) to your domain, wait for your updated DNS record to propagate, return to the CNAME step in Okta, and then click your custom URL under Confirmation.
Note: After you modify your DNS records, it may take up to 24 hours for your changes to propagate. If your changes do not appear within 24 hours, return to the CNAME step in the wizard and confirm your settings.
- Click Finish.
Note: Certificate chain files can only contain keys 2048 bits in length.
- To view the details of your custom URL configuration, go to Settings > Customization and scroll to the Custom URL Domain section.
- If you're using MacOS, you can run the following command to see dig output for a properly configured domain:
$ dig id.example.com