Enable self-service access to apps
The Self Service feature takes the burden of granting access to app integrations from your IT staff. Administrators can delegate the process to business application owners by specifying a workflow composed of users or groups who can approve and grant access to requested app integrations.
After admins enable the components of the Self Service feature, end users can request app integrations directly through their Okta End-User Dashboard. Admins can activate the Self Service components that provide the best fit for their organizational requirements and desired end-user experience.
An org-managed app integration is an integration that admins added to the Okta org and configured to work with an external application. The back-end connection between Okta and the external application typically consists of Security Assertion Markup Language (SAML) or OpenID Connect (OIDC) for Federated Single Sign-On (SSO). User accounts can be provisioned to external applications using the System for Cross-domain Identity Management (SCIM) protocol. When an end user clicks the app integration tile on their End-User Dashboard, Okta authenticates the user according to the configured parameters, communicates with the external application, and then signs in the user to the external application. For end users to request an org-managed app integration, an admin must enable the Self Service request option for that app integration.
There are thousands of app integrations in the Okta app catalog. Some app integrations don't require extra Okta configuration to handle a user sign-in request. The only information exchanged with the external application is a username and password. These credentials are set by the end user the first time that they click the app integration tile. End users can add this type of app integration as a personal app integration.
Finally, end users can send an email to an org admin and request the addition of an app integration to the org. This app integration may be found in the app catalog or it may require creating a brand new app integration. However, as new integrations typically require back-end configuration between Okta and the external application, users can't add these as personal app integrations.
About admin roles for this task
The administrator running this task must be a super admin for the Okta org.
Before you begin
The admin must sign in to the Okta Admin Console.
Start this task
To activate the Self Service feature for your org:
- In the Admin Console, go to .
- Click Settings.
- In User App Requests, click Edit to change App Catalog Settings.
The following options are available:
-
Click Save.
Allow users to add org-managed app integrations
This option allows users to add org-managed app integrations to their End-User Dashboard. End users can click Add apps on their dashboard to add these org-managed apps. A user can request any app integration that your org has added and has the Self Service feature enabled.
You can view the app integrations that have the Self Service feature enabled on the Available Apps list, go to the Assignments tab for the app integration and configure the Self Service option. See Configure a Self Service approval workflow.
page. To add an app integration to theThe Approval column of the Available Apps pane indicates if further approval is required before the app integration can be assigned to the end user:
- On: This means that the end user must submit a request through their Add apps interface and an admin or assigned approver evaluates and approves the request.
- Off: This means that the end user doesn't require approval to get access to the app integration. Okta adds the app integration to their dashboard. No involvement from an admin or an assigned approver is required.
Allow users to add personal app integrations
This option allows users to add a personally configured app integration, which means the external application doesn't require Okta to manage the sign-in request. Okta passes only the username and password to the external application. End users set these values when they click the app integration tile for the first time.
An end user can add any app from the Okta app catalog that isn't already managed by their org and that only requires a username and password for account creation.
Allow users to email "Technical Contact" to request an app integration
This option allows an end user to request the addition of an app integration to the org by sending an email to a technical contact configured by admins.
Before selecting this option, make sure that you've configured the email alias for the Technical Contact. To change the technical contact used in this request:
- In the Admin Console, go to .
- On the End User Support pane, click Edit.
- In the Technical contact field, enter the name or email address of the individual account that receives the end user requests to add app integrations. The user account must exist in your Universal Directory with a valid email address.
- Click Save.
When enabled, this option adds a button labeled Request an app to the footer of the End-User Dashboard.
When end users click Request an app, Okta displays a dialog containing a text field. End users can then provide details about the app integration that they would like the admins to add to the org.
Allow users to move apps using their personal email address to Okta Personal
This is a Beta feature. To use it, ask Okta Personal Support to enable Personal App Migration for your org.
This option allows users to move personal apps from their End-User Dashboard to Okta Personal (the Okta identity platform for personal use). See Import apps from Okta Workforce.
If you enable this option, users can only move apps that they added themselves. Apps must also use a personal email address to be considered eligible to move. Org-managed app integrations and apps that use the org subdomain aren't eligible.
Next steps
Configure a Self Service approval workflow