Configure Single Sign-On options

The options available when setting up or changing the Single Sign-On (SSO) method for an app integration depend on the access protocols supported by the app integration.

About admin roles for this task

The administrator running this task must be a super admin for the Okta org.

App administrators can configure user access to app integrations for which they're responsible.

Before you begin

The admin must be signed in to the Okta Admin Console.

Configure Sign-on options

Whether you're configuring an app integration for the first time or you later need to change these options, the Sign on methods available depend on the access protocols supported by the app integration.

OpenID Connect

For OpenID Connect (OIDC) app integrations, Okta uses the OAuth 2.0 protocol to exchange user credentials and enable SSO. OIDC app integrations typically have a link to instructions that guide you through the configuration.

SAML 2.0, WS-Federation

If you select one of SAML 2.0 or WS-Federation, Okta applies a federated approach to user authentication. App integrations configured using these methods typically have a link to instructions that guide you through the configuration.

For SAML applications, the Metadata details section includes data that your application integration may require. This can include Metadata URL, Sign on URL, and so on. See the linked instructions (View Setup Instructions) for details.

Bookmark-only

The Bookmark-only sign-in option is the simplest mode supported for an app integration. When the end user launches the app integration, Okta opens the sign-in page for the external application, but doesn't perform SSO. No username or password information is passed to the external application, so no configuration is required.

No Sign On

The No Sign On sign-in option is available when adding or configuring mobile apps or applications that don't require any sign-in information.

Secure Web Authentication

For the Secure Web Authentication (SWA) sign-in option, Okta signs in to the external application for each user. Selecting this method doesn't prevent users from signing in to the external application directly. You can set up your app integration with any of the following SWA sign-in configurations:

User sets username and password

This option allows your users to choose their usernames and passwords.

Note the following about this option:

  • If users are unassigned from the app integration and then later reassigned, they must reenter their usernames and passwords. Users can be unassigned from an app integration in the following ways:
    • The user is deactivated in Okta.
    • The user is removed from a group assigned to the app integration.
    • The user no longer appears in imports after being deactivated in the external application.
    • The organizational unit (OU) that contains the user is deselected.

Administrator sets username and password

This option provides the most robust level of admin control. It allows the admin to set all usernames and passwords for an app integration, after which the credentials are never shared with the end users. This option provides a way to shut off user access to the credentials of sensitive applications. You must ensure that the user doesn't have an alternative way to reset their password for the external application. It's also helpful in cases where admins must supply a new, obfuscated password to an Okta user, as no active communication with the user is required.

To set the usernames and passwords for a particular SWA app integration, do the following:

  1. Outside of Okta, access the external application you want to assign.
  2. Establish the usernames and passwords within the application.
  3. Return to Okta and access or create the app integration in the OIN.
  4. Choose the Sign On tab (or step) for the app integration.
  5. Choose Administrator sets username and password, and then click Next.
  6. Assign the app integration to users and then assign their usernames and passwords.

Note the following about this option:

  • The admin-created password can only be viewed when initially created. After setting the password, it's no longer visible to the admin. To change the password, first reset it in the external application, and then reset it in Okta.
  • If the chosen app integration was previously assigned to an established Okta group and then is modified to support this sign-on method, the admin needs to manually update the usernames and passwords for each group member.
  • The Password reveal feature is disabled when this option is selected because end users don't have access to their passwords.

Administrator sets username, user sets password

This option allows the admin to set up the external application accounts on behalf of your users, while still allowing users to set and change their application password (which is separate from their Okta password).

  1. Outside of Okta, access the external application you want to assign.
  2. Establish the username for each user within the application.
  3. Return to Okta and access or create the app integration in the OIN.
  4. Choose the Sign On tab (or step) for the app integration.
  5. Choose Administrator sets username, user sets password, and then click Next.
  6. Assign the app integration to users.

Administrator sets username, password is the same as user's Okta password

This option allows the admin to set up the external application accounts on behalf of your users and use their existing Okta passwords. For this to work, the admin needs to add the user accounts in the external application and then associate the usernames through provisioning integration with Okta. After you configure this option, end users can access the app integration without being prompted for a username or password.

  1. Outside of Okta, access the external application you want to assign.
  2. Establish the username and password for each user within the application.
  3. Return to Okta and access or create the app integration in the OIN.
  4. Choose the Sign On tab (or step) for the app integration.
  5. Choose Administrator sets username, password is the same as user's Okta password, and then click Next.
  6. Assign the app integration to users.

Users share a single username and password set by administrator

Select this option if you share a single application license or a single application account with multiple people in your organization.

To set the shared credentials for a shared application, do the following:

  1. Outside of Okta, access the external application you want to assign.
  2. Establish the username and password within the application.
  3. Return to Okta and access or create the app integration in the OIN.
  4. Choose the Sign On tab (or step) for the app integration.
  5. Choose Users share a single username and password set by the administrator, and then click Next.
  6. Assign the app integration to users.

You can enable the Password reveal feature when this option is selected, but it only allows admins to see the shared password. End users can't reveal shared passwords.

See also

Add existing app integrations

Create custom app integrations

Configure settings for app integrations