Security features of the Okta Browser Plugin

The Okta Browser Plugin provides several features to enhance the security of your end users' credentials.

SSL

When you start an Okta-managed app integration that requires the plugin, a pop-up banner asks you if you want to have Okta automatically fill in your credentials. After you accept the prompt request, the plugin uses an SSL connection to pass your Okta credentials. If you have the automatic submission option selected, the plugin signs you in to the application without any further action.

Authentication takes place in the background. The plugin temporarily stores your credentials in a location that the application can't access. The plugin simulates the sign-in process by inserting and submitting your credentials to the sign-in page, but then deletes them after the page redirects. This connection uses either the HTTPS or HTTP protocol, depending on the target URL of the application.

For secure connections, always use the HTTPS protocol when configuring the location of an application.

SSL certificate pinning (Internet Explorer)

The Okta Browser Plugin for Internet Explorer supports SSL pinning to protect against man-in-the-middle (MITM) attacks. A MITM attack attempts to steal user credentials, session identifiers, or other sensitive information.

Using SSL pinning, the Okta Browser Plugin for Internet Explorer maintains a list of previously validated and trusted server certificates.

When the user goes to an application, the plugin retrieves the site certificate and compares it against the list of trusted server certificates. If the comparison fails, Okta denies the connection to *.okta.com and *.oktapreview.com orgs and prompts the user to contact Okta Support.

Okta no longer supports Internet Explorer. To use a supported browser, see Supported browsers for Okta Browser Plugin

Configure your environment to work with the plugin (Internet Explorer)

If your enterprise uses web proxies to perform SSL interception, you need to configure your environment to work with the Okta Browser Plugin for Internet Explorer.

  1. In the Windows registry editor, go to [HKEY_CURRENT_USER\Software\AppDataLow\Software\Okta\IE Plugin].
  2. Create a DWORD (32-bit) value called SkipCertPinning.
  3. Set the value to 1.

Disable certificate pinning only for scenarios where orgs are using web proxies to intercept SSL traffic. Okta doesn't recommend turning it off for any other scenarios.

URL string matching

The Okta Browser Plugin checks the strings in your application URL to ensure that they match the strings Okta has in the integration details for that app. This matching ensures that Okta submits your credentials to the correct URL.

String

Example

Requirement

Notes

protocol https Required Must be identical.
host www.yoursite.com Required Must be identical.
port :1802 Optional Must be identical if available.
path /login Optional Must start with the same string.
anchor #yoursite Optional Must be identical.
query parameters ?yoursite=bar&baz=buzz Optional The order of your query parameters may vary.

Anti-phishing protection

Okta Browser Plugin provides anti-phishing protection against non-trusted Okta orgs. The plugin trusts the first org that you access. If you access an unrecognized org, a security warning appears. You're explicitly required to trust the org and give consent before accessing it.

Auto-generate strong passwords

When you create or change passwords for your SWA-based applications, Okta Browser Plugin auto-generates a strong password. This password is automatically saved to your Okta account.