Configure Trusted Origins

A Trusted Origin is a security-based concept that combines the URI scheme, hostname, and port number of a page. All cross-origin web requests and redirects from Okta to your organization’s websites must be explicitly allowed.

Use the Trusted Origins tab on the SecurityAPI page to grant access to websites that you control and trust to access your Okta org through the Okta API. For developers, see Trusted Origins API.

The following admin configurations require Trusted Origins:

Note

Orgs can use WebAuthn for sign-in pages hosted at Trusted Origins that are different from the org's Okta or custom domain URL. WebAuthn, however, requires the HTTPS protocol. Specify HTTPS, and not HTTP, when you configure a Trusted Origin for this use case.

To add a Trusted Origin:

  1. In the Admin Console, go to SecurityAPI.
  2. Select the Trusted Origins tab.
  3. Click Add Origin.
  4. In the Add Origin dialog, enter Name and Origin URL.

    Info

    Supported schemes are HTTP, HTTPS, FTP, Ionic 2, and Capacitor.

  5. Select the origin Type:
    • CORS – Cross-Origin Resource Sharing (CORS) allows JavaScript hosted on your websites to make an XMLHttpRequest to the Okta API using the Okta session cookie.
      Info

      CORS is a standard browser feature that allows JavaScript hosted on your websites to make an XMLHttpRequest (XHR) to the Okta API with the Okta session cookie.

    • Redirect – Allows for browser redirection to your org's trusted websites after signing in or out.
    • iFrame embed (origin) - Allows iFrame embedding of Okta sign-in pages, Okta resources, Okta End-User Dashboard. See Trusted Origins for iFrame embedding.
  6. Click Save.