This is an Early Access feature. To enable it, please contact Okta Support.
Settings > Customization
You can customize your Okta orgThe Okta container that represents a real-world organization. by replacing the Okta domainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https). name with a custom URL domain name that you specify. For example, if the URL of your Okta org is https://example.okta.com, you can configure a custom URL for the org such as https://id.example.com.
- Domain name
- Subdomain name. More
- TLS certificate for your subdomain (PEM-encoded)
- Private key (PEM-encoded)
- A valid TLS certificate is required to configure a Custom URL domain. Depending on your organization's policies, developers and administrators must have access to your organization's certificates or a certificate authority.
- If your org uses any of the following components, additional configuration may be required:
- Custom Authorization Servers for API management
- Issuer for OIDC clients
- Social IdPAn acronym for Identity Provider. It is a service that manages end user accounts analogous to user directories such as LDAP and Active Directory, and can send SAML responses to SPs to authenticate end users. Within this scenario, the IdP is Okta. Redirect
- Okta Verify
Okta uses CNAME DNS records to point to your Okta org. Because DNS does not allow you to set a CNAME record for a domain (for example, example.com), you must create CNAME records for subdomains (such as id.example.com).
- Currently, this feature is intended primarily for software developers integrating custom applications through the Okta API. While IT administrators provisioning apps to the Okta end user dashboard can configure a custom URL, they should be aware that the following components are not supported with Custom URL Domains:
- Okta Mobile (iOS, Android)
- Okta Secure Web Authentication browser plugin
- Okta IWA web appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. for Desktop SSOAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones.
- Okta Active Directory agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations.
- Okta LDAP agent
After you modify your DNS records, it may take up to 24 hours for your changes to propagate. If your changes do not appear within 24 hours, return to the CNAME step in the wizard and confirm your settings.
- Depending on your registrar, you must enter either a long or short value for Host in the DNS step of the configuration wizard. If your registrar does not support the value you entered, verification will fail and your custom URL domain configuration will be incomplete.
- Certificate chain files can only contain keys 2048 bits in length.
- You must configure this feature in order for Okta's Custom Sign In Page and Custom Error Page features to work.
- Only one custom URL is allowed per Okta org.
- If you use Let's Encrypt to become familiar with this feature, be aware that their certificates are valid for only 90 days. For a more permanent TLS certificate, you must generate one yourself and have it signed by a provider like Namecheap.
- Obtain the certificate and private key described in Prerequsites.
Go to Settings > Customization.
Scroll down to Custom URL Domain and then click Edit.
- The Continue button appears if the configuration is incomplete.
- The Update Certification button appears if a custom URL domain is already configured for your org. To delete the current configuration, click Restore to default.
- Click Get Started to start the configuration wizard.
- Enter your domain and sub-domain name. For example, id.example.com.
- Click Next.
- Copy the value provided in the Host column.
- Log in to your Domain Name registrar.
- Locate the option to modify your DNS records and add a TXT record by pasting the value you copied from the Host column.
- Wait for the DNS record to propogate (typically 1 - 5 minutes, but it may take longer), and then return to Okta and click Verify to prove to your Domain Name registrar that you have rights to use the domain name.
Note: After you modify your DNS records, it may take up to 24 hours for your changes to propagate. If your changes do not appear within 24 hours, return to this step and confirm your settings.
- If Verified appears, click Next.
- Paste your certificate in the Certificate field.
- Paste your private key in the Private Key field.
- If applicable to your environment, Okta recommends that you enter a PEM-encoded certificate chain (if any) in the Certificate Chain field.
- Click Next.
- Return to your Domain Name registrar and again locate the option to modify your DNS records.
- Add a CNAME record and paste the Host (Name) and Data (Value) values provided in the CNAME table in Okta.
- Save your DNS record.
- To confirm that Okta is serving traffic over HTTPS (TLS) to your domain, wait for your updated DNS record to propagate, return to the CNAME step in Okta, and then click your custom URL under Confirmation.
Note: After you modify your DNS records, it may take up to 24 hours for your changes to propagate. If your changes do not appear within 24 hours, return to the CNAME step in the wizard and confirm your settings.
- Click Finish.
Note: Certificate chain files can only contain keys 2048 bits in length.
- To view the details of your custom URL configuration, go to Settings > Customization and scroll to the Custom URL Domain section.
- If you're using MacOS, you can run the following command to see dig output for a properly configured domain:
$ dig id.example.com