App intent links

App intent links are protocol-specific endpoints that initiate a sign-in flow to an app, supporting both IdP-initiated and SP-initiated flows. Their behavior changes after upgrading from Classic Engine to Identity Engine.

Change summary

Classic Engine: Unauthenticated traffic to an app was redirected to /login/login.htm with a stateToken and fromUri representing the originally attempted app. After authentication, the user was redirected through an intermediate generic SSO endpoint, which validated app assignment and enforced the sign-on policy.

Identity Engine: App intent links no longer forward to a centralized sign-in page. Each app intent link hosts its own sign-in widget experience directly, unless an IdP routing rule exists. Identity Engine evaluates the global session policy, app sign-in policy, and all other policies relevant to the sign-in experience.

Admin experience No action is required.
User experience Because each app intent link hosts its own sign-in experience, they share a common rate limit bucket, similar to the centralized sign-in page rate limit in Classic Engine.
Related topics App intent links

Custom sign-in page for embedded app links

Change summary Using a custom sign-in page for embedded app links is no longer supported in Identity Engine. Users who click an app embed link are evaluated against the org's Okta sign-on policy instead.
Admin experience

Choose one of the following alternatives:

  • Customize an Okta-hosted sign-in page.
  • Configure an IdP routing rule for the app.
Related topics Custom sign-in page for embedded app links