App integrations FAQ
The procedure to add an app integration from the OIN is covered in Add existing app integrations.
On-premises web apps that use Active Directory (AD) credentials for authentication do not use Integrated Windows Authentication (IWA), but instead require users to enter their AD credentials when they sign in on a browser. When you configure Okta to delegate authentication to AD, signing in to internal web apps can also be automated.
Here's how Okta enables SSO for AD-authenticated internal web applications:
- Configure Okta to delegate authentication to AD.
- Customer has on-premises apps authenticating to AD.
- Users sign in to Okta with AD credentials.
- Users access their internal web apps with SWA using AD credentials.
- The internal web apps authenticate users against AD.
Okta uses SWA to automatically sign users in to internal web apps. When you configure an internal web application to delegate authentication to AD (the same source to which Okta delegates authentication), Okta captures the user's AD password during the sign-in process and automatically sets that password for that user in any applications that also delegate to AD. This enables users to click a link to access these apps, and then sign in automatically. Okta synchronizes the AD password securely. If the password is later changed in AD, the change is captured when the user signs in to Okta, which immediately updates in the secure password store for that app, ensuring that the next sign-in attempt is successful.