Skip to main contentSkip to docs navigation
Docs
  • English (United States)
  • 日本語 (日本)
  • Français (France)
    • Identity Engine
    • Classic Engine
    • Access Gateway
    • Advanced Server Access
    • Aerial
    • Identity Security Posture Management
    • Workflows
    • Identity Engine
    • Classic Engine
    • Access Gateway
    • Advanced Server Access
    • Aerial
    • Identity Security Posture Management
    • Workflows
  • Okta Developer
    • Auth0 Docs
    • Auth0 FGA Docs
  • Training
  • Support
    • English (United States)
    • 日本語 (日本)
    • Français (France)

Feedback
Identity Engine publication
  • Okta Identity Engine
  • Release notes
    • Production
    • Preview
    • Early Access
    • Okta Verify release notes
      • Okta Verify for Android
      • Okta Verify for iOS
      • Okta Verify for macOS
      • Okta Verify for Windows
    • Identity Governance
    • Okta Privileged Access
      • Device tools
      • Platform
    • Archive
      • 2026
      • 2025
      • 2024
      • 2023
      • 2022
      • 2021
  • Get started
  • Upgrade to Okta Identity Engine
    • Eligibility tasks
      • Update Event hook endpoints
      • Prepare Okta Mobile users for upgrade
      • Turn off Mobile Device Trust
      • Delete IWA routing rules
      • Upgrade the Sign-In Widget
      • Prepare your customizations for upgrade
      • Prepare Terraform for upgrade
      • Rename Duo Security custom IdP
      • Skip email auto-enrollment
    • Feature changes
      • App intent links
      • App sign-on policies
        • App sign-on policy migration
      • Custom app login
      • Device Trust for desktop devices
      • Device Trust for mobile devices
      • Device Trust for Workspace ONE mobile
      • Email as an optional authenticator
      • Email enhancements
      • End-User Settings
      • Federated inbound sign-in flow
      • Global redirect
      • Integrated Windows Authentication
      • Multifactor authentication
      • MFA enrollment policy
      • Okta Mobile
      • Okta Verify with Okta FastPass
      • Okta sign-on policies
      • Office 365 single sign-out
      • Office 365 Custom User Agent
      • Office 365 MFA pass claim
      • Password reset and account recovery
      • Phone authenticator
      • Registration hooks
      • Secondary email for authentication and recovery
      • Secondary email as an optional user account field
      • Security questions and answers
      • Self-service registration
      • Sign-In Widget
      • Suspicious activity reporting
    • Self-service upgrade process
      • Self-service upgrade action items
      • Upgrade test plan
        • Record your Classic Engine experience
        • Test the upgrade in Identity Engine
        • Validate your upgrade
        • Replace your custom app login URL
        • Replace Desktop Device Trust with Okta FastPass
        • Replace Workspace ONE Device Trust mobile with Okta FastPass
        • Troubleshoot Device Trust
        • Post-upgrade behavior
        • Sign-in flows
      • Roll back to Classic Engine
        • Initiate a rollback request
        • Behavior after a rollback
    • Upgrade FAQ
      • From Device Trust to Okta FastPass
  • Monitoring and reports
    • Administrator Dashboard
      • View your org at a glance
      • View your org agents' status
      • View Okta service status
      • Monitor your tasks
      • Monitor your org's security
      • Monitor your SSO apps
      • Admin Console search
    • Reports
      • Entitlements and access
        • Group membership
        • User accounts
        • User app access
      • Application usage
      • Okta password health
      • SAML capable apps
      • Application access
      • Authentication activity
      • MFA activity
      • MFA usage
      • MFA enrollment by user
      • Suspicious activity
      • Deprovision details
      • Rate limits
      • Admin role assignments
      • Telephony usage
      • Deprecated reports
        • Current Assignments report
        • Recent Unassignments report
        • App Password Health report
    • Run reports
    • Receive reports by email
    • System Log
      • System Log filters and search
      • Common System Log filters
      • Track MFA abandonment in the System Log
    • Log streaming
      • Add an AWS EventBridge log stream
      • Add a Splunk Cloud log stream
      • Edit the status of your log stream
  • Directory integrations
    • Active Directory integration
      • Get started with Active Directory integration
        • Typical workflow for integrating Active Directory
        • Active Directory integration prerequisites
        • Active Directory integration considerations and limits
        • Okta service account permissions
        • Supported Active Directory integration features
        • Active Directory integration implementation options
        • Plan for high availability and disaster recovery
        • Integration with existing Active Directory forests and domains
        • Prepare Active Directory for the integration
        • Import considerations
        • Supported attribute syntaxes
      • Manage your Active Directory integration
        • Install the Okta Active Directory agent
        • Configure Active Directory import and account settings
        • Configure Active Directory provisioning settings
        • Multiple Okta Active Directory agents
        • Install multiple Okta Active Directory agents
        • Update the Okta Active Directory agent
        • Uninstall Okta Active Directory agent
        • Locate the Okta AD Agent log
        • Change the Okta Active Directory agent user
        • Change the number of Okta Active Directory agent threads
        • Okta Active Directory agent variable definitions
        • Configure DMZ server ports for Active Directory integrations
        • Register multiple domains to an Okta Active Directory agent
        • Make Active Directory the Profile Source
        • Rename an Active Directory domain
        • Delegated authentication with Active Directory
        • Enable delegated authentication for Active Directory
        • Check AD DirSync readiness
        • Enable imports with DirSync
      • Manage Active Directory users and groups
        • Import Active Directory users on demand
        • Schedule Active Directory user imports
        • Add and update users with Active Directory Just-In-Time provisioning
        • Make names optional in Active Directory
        • Confirm imported Active Directory user assignments
        • Import groups from Active Directory
        • Push groups from Okta to Active Directory
        • Enable universal security group support
        • Configure enhanced group push for Active Directory organizational units
        • Enable Okta-sourced user Organizational Unit updates
        • View users and groups associated with an Active Directory instance
        • Remove a group from Active Directory provisioning
        • Exclude AD username updates during provisioning
        • Disconnect users from Active Directory
        • Bidirectional Group Management with Active Directory
          • Access governance for AD groups
      • Work with Active Directory attributes
        • Base Active Directory attributes
        • Active Directory attribute mappings to Okta properties
        • Exclude Active Directory username updates during provisioning
      • Active Directory Desktop Single Sign-on
        • Desktop Single Sign-on prerequisites
        • Active Directory Desktop Single Sign-On known issues
        • About Active Directory Desktop Single Sign-on and Just-In-Time provisioning
        • Identify your Desktop Single Sign-On type
        • Configure agentless Desktop Single Sign-on
          • About the agentless Desktop Single Sign-on workflow
          • Create a service account and configure a Service Principal Name
          • Configure browsers for Windows agentless Desktop Single Sign-on
          • Configure browsers for Mac agentless Desktop Single Sign-on
          • Enable agentless Desktop Single Sign-on
          • Update the default Desktop Single Sign-on Identity Provider routing rule
          • Validate the agentless Desktop Single Sign-on configuration
          • Test the agentless Desktop Single Sign-on configuration
        • Migrate your agentless Desktop Single Sign-on configuration
          • Migrate from Integrated Windows Authentication to agentless Desktop Single Sign-on
          • Set the service principal name
          • Configure browsers for single sign-on on Windows
          • Test the Desktop Single Sign-on settings
        • Desktop Single Sign-on FAQ
        • Desktop Single Sign-on troubleshooting
      • Manage passwords
        • Synchronize passwords
          • Password synchronization use cases
          • Synchronize passwords from Okta to Active Directory
          • Synchronize passwords from Active Directory to Okta
          • Application password synchronization
          • Use Okta API to expire user passwords
          • Troubleshoot password synchronization
        • Password migration from AD to Okta
          • Password migration considerations
          • Run a password migration
      • Automatically update Okta Active Directory agents
        • View Okta Active Directory (AD) agent status information
        • Auto-update a single agent on demand
        • Auto-update multiple agents on demand
        • Retry an on-demand agent auto-update
        • Cancel an on-demand agent auto-update
        • Schedule agent auto-updates
        • Turn an agent auto-update schedule on or off
        • Delete an agent auto-update schedule
        • Define the behavior for failed agent auto-updates
        • Unsubscribe from agent auto-update email notifications
        • Download the latest agent version
      • Active Directory integration FAQ
    • LDAP integration
      • Get started with LDAP integration
        • LDAP integration prerequisites
        • LDAP integration known issues
        • LDAP integration limits
        • LDAP integration features
        • Supported LDAP directories
        • LDAP incremental import support
      • Manage your LDAP integration
        • Install the Okta LDAP Agent
        • Configure LDAP integration settings
        • Configure Okta to LDAP provisioning settings
        • Configure LDAP to Okta provisioning settings
        • Modify LDAP integration settings
        • Enable LDAP over SSL
        • Enable delegated authentication
        • Map Okta user profile attributes to LDAP attributes
        • Add and update users with LDAP Just-In-Time provisioning
        • Verify the Okta LDAP agent download
        • Reconfigure an Okta LDAP Agent
        • LDAP configuration parameters
        • Change the number of Okta LDAP agent threads
        • Add or remove custom LDAP attributes
        • Locate the Okta LDAP agent log
        • Manage the Okta LDAP Agent
        • Uninstall or reinstall the Okta LDAP Agent
      • Configure supported LDAP directory services
        • AD LDS LDAP integration reference
        • eDirectory LDAP integration reference
        • IBM LDAP integration reference
        • OpenDJ LDAP integration reference
        • Oracle Internet Directory LDAP integration reference
        • OpenLDAP integration reference
        • Oracle Directory Server Enterprise Edition LDAP integration reference
        • Oracle Unified Directory LDAP integration reference
        • Sun ONE Application Server LDAP integration reference
      • Set up and manage the LDAP Interface
        • LDAP Interface known limitations
        • LDAP Interface connection settings
        • Enable the LDAP interface
        • Expose app groups in the LDAP interface directory information tree
        • Use multifactor authentication with the LDAP Interface
        • LDAP interface pagination control
        • LDAP interface troubleshooting
      • Bidirectional Group Management with LDAP
      • Automatically update Okta LDAP agents
        • View LDAP agent status information
        • Auto-update a single agent on demand
        • Auto-update multiple agents on demand
        • Retry an on-demand agent auto-update
        • Cancel an on-demand agent auto-update
        • Schedule agent auto-updates
        • Turn an agent auto-update schedule on or off
        • Delete an agent auto-update schedule
        • Define the behavior for failed agent auto-updates
        • Unsubscribe from agent auto-update email notifications
        • Download the latest agent version
      • LDAP integration troubleshooting
    • CSV directory integration
      • Get started with CSV directory integration
        • CSV directory integration prerequisites
        • Typical workflow for integrating CSV directories
      • Manage your CSV directory integration
        • Download and install the Okta Provisioning agent
        • Configure the CSV directory integration settings
        • Configure the CSV directory integration profile attributes
        • Configure the CSV directory integration import settings
        • Test the CSV directory integration
  • User management
    • Manage users
      • Add users manually
      • Add and update users with Just-In-Time provisioning
      • Use Anything-as-a-Source
      • Import users
        • View the Import Monitoring dashboard
        • Import users from an app
        • Edit app provisioning settings
        • Clear unconfirmed users
        • Import users from a CSV file
        • Assign users to apps using a CSV file
        • Match imported user attributes
        • Import safeguards
        • Enable or disable import safeguards
        • Change threshold for import safeguard
        • Resolve import safeguard warnings on the Import Monitoring dashboard
      • Activate user accounts
      • Deactivate and delete user accounts
      • Edit deactivated user profiles
      • End Privileged Access
      • Assign applications to users
      • Search for application users
      • Unassign users from applications
      • Unlock an individual user account
      • Unlock multiple user accounts
      • Suspend and unsuspend users
      • Reset a user password
      • Reset multiple user passwords
      • Reset multifactor authentication for users
      • Revoke all user sessions
      • Allow unknown devices to sign in
      • Manage password expiry
        • Expire all user passwords
        • Expire a user's password on the Okta Admin Console
      • User account status
    • Manage groups
      • Groups
      • Okta group source types
      • Create a group
      • About group duplication in Microsoft Office 365
      • View group members
      • Manually assign people to a group
      • Bulk assign people to a group
      • Remove people from a group
      • Enable group import from provisioning-enabled apps
      • Review group imports
      • View and edit Okta group attributes
      • Remove groups imported from provisioning-enabled apps
      • Assign a single app to groups
      • Assign multiple apps to a group
      • Manage group prioritization
        • Prioritize application groups
        • Assign attribute group priority
        • Group prioritization use case
      • Manage group rules
        • Group rules
        • Group rules best practices
        • Manual group user management
        • Create group rules
        • Verify group membership changes
        • Edit group rules
      • Manage Group Push
        • Group Push
        • Group Push prerequisites
        • Enable Group Push
        • Group Push operations
        • App assignments and Group Push
        • Troubleshooting Group Push
      • Manage Group Linking
        • Configure Group Linking
        • Configure Group Linking to delete application groups
    • Manage profiles
      • Profile types
      • Attribute mappings
      • Expressions
      • About rich SAML assertions and WS-Federation claims
      • Work with profiles and attributes
        • View the Okta default user profile
        • View the Okta default group profile
        • Make the user profile first and last name optional
        • Create a custom character restriction for the Okta username
        • Add custom attributes to an Okta user profile
        • Add custom attributes to a default Okta group profile
        • Add custom attributes to apps, directories, and identity providers
        • Edit Okta default group profile custom attributes
        • Remove custom attributes from a default Okta group profile
        • Delete custom app, directory, and identity provider attributes
        • Enforce uniqueness of custom attributes
        • Enforce custom attribute uniqueness
        • Add or remove custom directory schema attributes
        • Review reserved attributes
        • Profile Push
        • View existing application attribute mapping
        • Map Okta attributes to app attributes in the Profile Editor
        • Map app attributes on the Provisioning page
        • Edit application attribute mapping
        • Modify attributes with expressions
        • Override a user name format
        • Override an app username
        • Override application attribute mapping
        • Remove mapping
        • Automatically update an app username
      • Work with Universal Directory user types
        • Custom user types in Universal Directory
        • Universal Directory custom user types known issues
        • Create a custom user type
        • Map a user type to an application
        • Create a user and assign a user type
        • Change the user type
        • Delete a user type
      • Manage profile and attribute sourcing
        • Profile sourcing
        • Designate profile sources for user attributes
        • Prioritize profile sources
        • Make an app the profile source
        • Define the attribute profile source
        • Map profile attributes
        • Edit user attributes
        • Allow users to edit attributes
    • Manage realms
      • Requirements and limitations
      • Get started with realms
      • Create realms
      • Delegate realm management
      • Manage realm users
      • Realm assignments
      • Realms with Okta Identity Governance
      • Use Workflows to manage realms
    • Manage external users external users
      • Set up Partner Admin Portal Partner Admin Portal
        • Create a Partner Admin Portal
        • Set up partner admins
        • Assign users to the Partner Admin Portal
        • Permissions for partner admins
      • Manage the Partner Admin Portal Partner Admin Portal
        • Manage users
        • Manage groups
        • Manage apps
      • User classification
        • Set up user classification
    • Manage service accounts
      • Alternative options to service accounts
      • Set up the Okta Privileged Access app
      • Manage a SaaS app service account
      • Manage an Okta user account as a service account
  • Okta for AI Agents
    • Discover and assess AI agents
      • AI agent discovery in ISPM
      • Discover AI agents in managed apps
      • Discover shadow AI agents using the SAM plugin
        • Okta Secure Access Monitor plugin
        • Configure the Secure Access Monitor plugin
        • Assess AI agents that have privileged OAuth scopes
    • Add and register AI agents
      • Add AI agents manually
      • AI agent imports
        • Apps that support AI agent imports
        • Provider app-specific configurations
          • Configure AWS IAM Identity Center for AI agent imports
          • Configure Salesforce.com for AI agent imports
          • Configure ServiceNow UD for AI agent imports
        • Enable AI agent imports for an app
        • Import AI agents from an app
        • Configure imported AI agents
        • View and monitor AI agent imports
      • Update AI agents
      • Okta for AI Agents status types
    • AI agent resource connections
      • Compare AI agent resource types
      • Add custom resource servers
      • Configure resource server connectors
      • Prerequisites for common resource server connectors
      • Add MCP servers
      • Connect AI agents to resources
    • Govern access to AI agents
      • Request access to AI agents
      • Certify AI agents
  • App integrations
    • Get started with app integrations
    • Learn about app integrations
      • Single Sign-On
      • OIDC app integrations
      • SAML app integrations
      • WS-Fed app integrations
      • SWA app integrations
      • SCIM app integrations
      • CASB configuration guide
    • Add app integrations
      • Add existing app integrations
      • Create custom app integrations
        • Create OpenID Connect app integrations
          • Manage secrets and keys for OIDC app client authentication
          • Encrypt OIDC ID tokens for app integrations
        • Create SAML app integrations
          • AIW SAML field reference
          • Define attribute statements
          • Define group attribute statements
          • Manage signing certificates
        • Configure custom claims for app integrations
          • Generate entitlement claims using the legacy configuration
        • Create SWA app integrations
        • Create SCIM app integrations with entitlement management
        • Add SCIM provisioning to app integrations
      • Add an app with Express Configuration
      • Configure Single Sign-On options
      • Configure settings for app integrations
      • Configure Cross App Access
        • Manage Cross App Access connections
      • Configure profile attributes for OIDC apps
      • Self Service for app integrations
        • Workflow to configure Self Service request feature
        • Enable self-service access to apps
        • Configure a Self Service approval workflow
        • Add app integrations as an end user
        • Handle app integration requests
      • Configure the Okta Template App and Okta Plugin Template App
      • Create a Bookmark App integration
      • Simulate an IdP-initiated flow with the Bookmark App
      • Configure Single Logout in app integrations
      • Configure Native to Web SSO
      • Configure Universal Logout
      • Mapping Active Directory, LDAP, and Workday Values in a SAML template
      • Configure a shared signal transmitter
    • Integration guides
      • 1Password Enterprise Password Manager
        • Integrate 1Password Enterprise Password Manager with Okta
        • Configure Okta SSO in 1Password Enterprise Password Manager
        • Manage user assignments and grace periods
        • Integrate 1Password Enterprise Password Manager with Okta for SSO Unlock
        • Verify SP-inititated SSO
      • Advent Black Diamond
        • Advent Black Diamond supported features
        • Configure Advent Black Diamond provisioning with Okta
      • Amazon Web Services Account Federation
        • Learn about Amazon Web Services integration
        • Connect Okta to a single Amazon Web Services instance
          • Configure Okta as the AWS account identity provider
          • Add Okta as a trusted source for AWS roles
          • Generate the AWS API access key
          • Configure the Amazon Web Services Account Federation app in Okta
        • Connect Okta to multiple Amazon Web Services instances
          • Integrate multiple AWS instances
          • AWS user and group access management
          • Configure AWS accounts and roles for SAML SSO
          • Create AWS role groups in an external directory
          • Create management groups to map users to AWS accounts and roles
          • Import AWS role and management groups into Okta
          • Enable group-based role mapping in Okta
          • Assign AWS management groups to the Okta AWS app
        • Configure Okta as IdP for AWS CLI
      • Apple Business Manager
      • Artifactory
        • Artifactory supported features
        • Integrate Artifactory with Okta
      • Atlassian
      • Axway Amplify
        • Axway Amplify supported features
        • Integrate Axway Amplify with Okta
      • BambooHR
        • BambooHR supported features
        • BambooHR integration known issues
        • Integrate BambooHR with Okta
      • BMC Remedyforce
        • BMC Remedyforce supported features
        • Configure BMC Remedyforce provisioning with Okta
      • Box
        • Box supported features
        • Manage your Box integration
          • Integrate Box with Okta
          • Add attributes to a Box profile
          • Add existing Box groups to Okta
          • Assign Box to Okta groups and configure group push
          • Configure SAML group push for Box
      • Confluence On-Premises
      • Coupa
        • Coupa supported features
        • Integrate Coupa with Okta
      • CrowdStrike
        • CrowdStrike supported features
        • Integrate CrowdStrike with Okta
      • DocuSign
        • DocuSign supported features
        • Integrate DocuSign with Okta
      • Dropbox Business
        • Dropbox Business integration prerequisites
        • Dropbox Business integration known issues
        • Silently provision Dropbox Business
        • Dropbox Business supported features
        • Integrate Dropbox Business with Okta
      • FleetDM
        • FleetDM supported features
        • Configure FleeDM provisioning with Okta
      • Google Workspace
        • Troubleshooting
        • Manage Google Workspace users
        • Google email alias support
      • HashiCorp Cloud Platform
        • HashiCorp Cloud Platform supported features
        • Integrate HashiCorp Cloud Platform with Okta
      • HashiCorp Vault
        • Integrate HashiCorp Vault with Okta
        • Configure the OIDC authentication method
        • Configure groups and policies
        • Test the integration
      • Informatica Cloud
        • Informatica Cloud supported features
        • Integrate Informatica Cloud with Okta
      • Jamf Pro Admin Console
        • Jamf Pro Admin Console supported features
        • Integrate Jamf Pro Admin Console with Okta
      • Jamf Pro User Enrollment
        • Jamf Pro User Enrollment supported features
        • Integrate Jamf Pro User Enrollment with Okta
      • JumpCloud
        • Integrate JumpCloud with Okta
        • Configure IdP for JumpCloud
        • Verify SP-initiated Single Sign-On (SSO)
      • Lucid
        • Lucid supported features
        • Integrate Lucid with Okta
      • Meta Work Accounts
      • Microsoft Entra ID and Office 365
        • Microsoft Entra ID Microsoft Entra ID
          • Integrate Microsoft Entra ID using SAML
            • About Microsoft Entra ID SAML integration
            • Create the Okta enterprise app in Microsoft Entra ID
            • Make Microsoft Entra ID an Identity Provider
            • Map Microsoft Entra ID attributes to Okta attributes
            • Test the Microsoft Entra ID integration
          • Integrate Hybrid Microsoft Entra ID Join
            • About Hybrid Microsoft Entra ID devices
            • Prerequisites for integrating Microsoft Entra ID join
            • Configure Office 365 sign-on rules to allow on-prem and cloud access
            • Configure Hybrid Join in Microsoft Entra ID
            • Hybrid Microsoft Entra ID integration FAQs
          • Integrate Windows Autopilot
            • Okta + Windows Autopilot overview
            • How Okta works with Windows Autopilot
            • Supported use cases for Okta with Windows Autopilot
            • Integrate Okta with Windows Autopilot
        • Microsoft Office 365
          • Deploy Office 365
            • Add Office 365 to Okta
            • Configure Single Sign-On for Office 365
            • Provision users to Office 365
            • Import users to Office 365 using Microsoft Graph API
            • Assign Office 365 to users and groups
            • Secure Office 365 using app sign-on policies
          • Office 365 sign on policies
            • About Office 365 sign on policies
            • Best security practices for Office 365 sign on policies
            • Office 365 sign-on rules options
            • Office 365 default sign-on rules
            • Create Office 365 sign-on rules
          • Office 365 provisioning and deprovisioning
            • Enable deprovisioning in Office 365
            • Add custom attributes
            • Map custom attributes
            • Skip importing groups during Office 365 user provisioning
            • Provisioning options for Office 365
            • Deprovisioning options for Office 365
            • Manage Office 365 licenses and roles
            • Supported user profile attributes for Office 365 provisioning
            • Supported user profile attributes for Office 365 import
          • Advanced integration topics for Office 365
            • Allow or deny custom clients in Office 365 sign-on policy
            • Provide Microsoft admin consent for Okta
            • Office 365 Silent Activation: New Implementations
            • Office 365 Silent Activation: Old Implementations
            • Configure certificate-based authentication
            • Use Okta MFA for Microsoft Entra ID (formerly Azure Active Directory)
            • Federate multiple Office 365 domains in a single app instance
            • Okta support for hybrid Microsoft Entra ID joined devices
            • Enable Microsoft Office 365 applications
            • Move Microsoft Office 365 from Secure Web Authentication to WS-Federation
            • Configure Office 365 GCC Tenant
            • Configure Office 365 GCC High Tenant
            • Supported Office 365 GCC High Apps and Services
            • Configure the Okta Template WS Federation Application
            • Configure WS-Federation for Office 365
            • Group linking for Microsoft Office 365
          • Office 365 FAQs
      • Microsoft SharePoint (On-Premises)
        • Typical deployment workflow for SharePoint (On-Premises)
          • Deployment Scenarios
          • Add SharePoint (On-Premises) in Okta
          • Configure Okta as a claims provider in SharePoint (On-Premises)
          • Configure Okta SharePoint People Picker agent
          • Deploy Okta People Picker for SharePoint agent
          • Uninstall Okta People Picker and Okta authentication
          • Troubleshooting: Microsoft SharePoint (On-Premises)
          • Microsoft SharePoint (On-Premises) FAQs
      • Mimecast Personal Portal V3
        • Mimecast Personal Portal V3 supported features
        • Integrate Mimecast Personal Portal V3 with Okta
      • Mulesoft Anypoint Platform
        • Create an OIDC integration
          • Integrate MuleSoft Anypoint Platform with Okta
          • Configure IdP for MuleSoft Anypoint Platform
          • Configure the Redirect URI in Okta
          • Test the integration
        • Create a SCIM integration
          • MuleSoft Anypoint Platform provisioning supported features
          • Integrate MuleSoft Anypoint Platform provisioning with Okta
      • Okta as Microsoft EAM
      • Okta Org2Org
        • Okta Org2Org supported features
        • Integrate Okta Org2Org with Okta
      • Okta Identity Security Posture Management (ISPM)
      • OneLogin
        • Create an OneLogin OIDC integration
          • Integrate OneLogin with Okta
          • Configure Okta SSO in OneLogin
          • Configure Just-In-Time provisioning in OneLogin
          • Verify SP-initiated Single Sign-On (SSO)
        • Create an OneLogin SCIM integration
          • OneLogin supported features
          • Configure OneLogin provisioning with Okta
      • Oracle Human Capital Management
        • Oracle Human Capital Management supported features
        • Enable Oracle Human Capital Management provisioning
      • Oracle Identity Access Management
        • Oracle Identity Access Management supported features
        • Integrate Oracle Identity Access Management with Okta
      • PagerDuty
        • PagerDuty supported features
        • Integrate PagerDuty with Okta
      • Rally Software
        • Rally Software supported features
        • Integrate Rally Software with Okta
        • Add custom Rally Software attributes
      • RingCentral
        • RingCentral integration prerequisites
        • RingCentral supported features
        • Okta to RingCentral attribute mapping requirements
        • Manage your RingCentral integration
          • Integrate RingCentral with Okta
          • Enable RingCentral bidirectional attribute synchronization
          • Add custom RingCentral attributes
        • Troubleshoot RingCentral integrations
      • Salesforce
        • Salesforce supported features
        • Supported Salesforce custom attribute types
        • Manage your Salesforce integration
          • Enable Salesforce single sign-on
          • Enable Salesforce provisioning
          • Add attributes to a Salesforce profile
          • Configure OAuth and REST integration
          • Create a Salesforce Community integration
          • Create a Salesforce Portal integration
          • Create a Salesforce Government Cloud integration
      • SAP Analytics Cloud
        • SAP Analytics Cloud supported features
        • Integrate SAP Analytics Cloud with Okta
      • SAP Concur
        • SAP Concur supported features
        • Integrate SAP Concur with Okta
      • SAP SuccessFactors Employee Central
        • Learn about SAP SuccessFactors Employee Central integration
        • SAP SuccessFactors Employee Central integration prerequisites
        • SAP SuccessFactors Employee Central supported features
        • Learn about SAP SuccessFactors Employee Central data provisioning
        • Supported SAP SuccessFactors Employee Central entities and attributes
        • Manage your SAP SuccessFactors Employee Central integration
          • Integrate SAP SuccessFactors Employee Central with Okta
          • Set Time Zone Aware Pre-hires/Terminations
          • View the SAP SuccessFactors Employee Central Start Date attributes
      • SentinelOne
        • SentinelOne supported features
        • Enable SentinelOne provisioning
      • ServiceNow
        • ServiceNow (Eureka)
        • ServiceNow UD SSO migration guide
        • ServiceNow UD Provisioning migration guide
      • Slack
        • Slack integration prerequisites
        • Slack supported features
        • Supported Slack attributes
        • Integrate Slack with Okta
        • Troubleshoot Slack integrations
      • Splunk
        • Splunk Enterprise supported features
        • Enable Splunk Enterprise provisioning
      • Splunk Cloud
        • Splunk Cloud supported features
        • Configure Splunk Cloud provisioning with Okta
      • ThoughtSpot
        • Create ThoughtSpot OIDC integration
          • Integrate ThoughtSpot with Okta
          • Configure Okta IdP for ThoughtSpot
          • Verify SP-initiated Single Sign-On (SSO)
        • Create ThoughtSpot SCIM integration
          • ThoughtSpot supported features
          • Enable ThoughtSpot provisioning
      • Trend Micro
        • Trend Micro supported features
        • Integrate Trend Micro with Okta
      • Twilio
        • Twilio supported features
        • Integrate Twilio with Okta
      • UKG Pro
        • UKG Pro prerequisites and known issues
        • UKG Pro supported features
        • Create a UKG Pro report and report ID
        • Integrate UKG Pro with Okta
        • UltiPro template
      • Workato
        • Workato supported features
        • Integrate Workato with Okta
      • Workday
        • Workday incremental imports
        • Workday Real-Time Sync
        • Workday Email and Phone writeback
        • Configure Workday writeback for home and work contacts
        • Best practices and FAQ
        • Import with custom reports
      • Workplace by Facebook
      • Zendesk
        • Zendesk supported features
        • Zendesk considerations and limits
        • Integrate Zendesk with Okta
      • Zoho Mail
        • Zoho Mail supported features
        • Integrate Zoho Mail with Okta
      • Netskope Admin Console
        • Netskope Admin Console supported features
        • Integrate Netskope Admin Console with Okta
    • Access and customize app integrations
      • Assign app integrations
      • Manage app integration assignments
      • Manage Federation Broker Mode
        • Enable Federation Broker Mode
        • Disable Federation Broker Mode
        • Federation Broker Mode known limitations
      • Redirect unauthenticated users to a custom login page
      • Redirect unassigned users to a custom error page
      • Convert app integrations from individually owned to group managed
      • Customize an app logo
      • Add notes to an app integration
      • Set up VPN notification
      • Reveal the password of an app integration
      • Pass Device Context using Limited Access for Okta Identity Engine
    • Remove app integrations
      • Deactivate app integrations
      • Delete app integrations
    • Provision apps
      • Get started with provisioning
        • Provisioning
        • Lifecycle of a provisioned user
        • Add provisioned users
        • Workflow for deploying new provisioning app integrations
        • Workflow for adding provisioning to app integrations
        • On-premises provisioning
        • Workflow for deploying on-premises provisioning
      • Provision cloud applications
        • Search for an existing OIN app integration
        • Add an app integration to Okta
        • Create and configure a duplicate app instance
        • Configure provisioning for an app integration
        • Assign app integrations
      • Provision on-premises apps
        • On-premises provisioning and entitlements
        • Enable TLS 1.2
        • Install the Okta Provisioning Agent
        • Install the Okta On-prem SCIM Server agent
        • Agent configuration file
        • Okta On-prem Connector
          • Okta On-prem Connector guides
            • On-prem Connector for Oracle EBS
              • Supported attributes for Oracle EBS
            • On-prem Connector for SAP Netweaver ABAP
              • Configure admin roles for SAP Netweaver ABAP
              • Supported attributes for SAP Netweaver ABAP
            • On-premises Connector for Generic Databases
          • Supported entitlements by On-prem Connector
          • Install Okta On-prem Connector
          • Uninstall Okta On-prem Connector
          • SQL statements, stored procedures, and custom code
          • System requirements for On-prem Connectors - Oracle EBS and SAP Netweaver ABAP
          • System requirements for On-premises Connector - Generic Databases
        • Create an instance of your on-premises app in Okta
        • Create and test SCIM connectors
          • Create SCIM connectors for on-premises provisioning
          • Test SCIM connectors for on-premises provisioning
          • SCIM messages for on-premises provisioning
        • Connect to a SCIM connector
        • Configure the API call timeout period
        • Make an on-premises app the profile source
        • Okta Provisioning Agent incremental import
        • Upgrade Okta Provisioning Agent
        • Uninstall and reinstall the Okta Provisioning Agent
      • Manage provisioned users
        • Assign an app integration to a user
        • Provision users
        • Automatically update user attributes
        • Assign an app integration to a group
        • Convert an individual assignment to a group assignment
        • Automatically deactivate app users
        • Deprovision a user
        • Reactivate a user profile
      • Troubleshoot provisioning
    • App integrations FAQ
    • API Service Integrations
      • Add an API Service Integration
      • Rotate a Client Secret for an API Service Integration
      • Revoke an API Service Integration
  • Devices
    • Okta Device Access
      • Device Access certificates
        • Use Okta as a CA for Device Access
          • Static SCEP for macOS with Jamf Pro
          • Dynamic SCEP for macOS with Jamf Pro
          • Delegated SCEP for macOS with Microsoft Intune
          • Static SCEP for macOS with Workspace ONE
          • Delegated SCEP for Windows with Microsoft Intune
          • Static SCEP for Windows with Workspace ONE
        • Use your own CA for Device Access Device Access
          • Configure Active Directory Certificate Services
        • Verify certificate deployments
      • Platform SSO for macOS macOS
        • Create and configure the PSSO app
        • Configure device management profiles
          • Secure Enclave using a generic MDM
          • Desktop Password Sync using Intune
          • Desktop Password Sync using Jamf Pro
          • Desktop Password Sync using Workspace ONE
          • Desktop Password Sync using a generic MDM
        • Just-In-Time Local Account Creation for macOS
        • Version compatibility and features
        • Support your macOS users
      • Desktop MFA for macOS
        • Create and configure the Desktop MFA app
        • Download Okta Verify
        • Configure and deploy Desktop MFA policies
        • Link an end user account
        • Enforce number challenge for Desktop MFA
        • Enable Desktop MFA recovery
        • Configure Desktop MFA to use FIDO2 keys
        • Support your Desktop MFA users
      • Desktop MFA for Windows
        • Create and configure the Desktop MFA app for Windows
        • Download Okta Verify
        • Deploy Desktop MFA to your endpoints
        • Configure and deploy Desktop MFA policies
        • Enable self-service password reset
        • Enforce number challenge for Desktop MFA
        • Configure Desktop MFA to use FIDO2 keys
        • Configure Desktop Password Autofill
        • Enable Desktop MFA recovery
        • Desktop MFA user experience
        • Support your Desktop MFA users
      • Device-Bound Single Sign-On
        • Configure Device-Bound SSO for macOS
        • Configure Device-Bound SSO for Windows
        • Troubleshoot Device-Bound SSO issues
        • System Log events
      • Sign users out of devices
    • Okta Verify deployment
      • Deploy to Android devices
        • Configuration settings for Android OS
        • Download Okta Verify from the Admin Console
      • Deploy to iOS devices
        • Configuration settings for iOS
        • Deploy using MEM
      • Deploy to macOS devices
        • Configuration settings for macOS
        • Auto-launch Okta Verify on macOS devices
      • Deploy to Windows devices
        • Configuration settings for Windows
        • Deploy using Workspace ONE
        • Configure automatic updates
        • Configure user verification type
        • Configure physical or virtual environments
      • Okta Verify security updates
    • Device registration
    • Managed devices
      • Management attestation for mobile devices
        • Configuration workflow
        • Configure management attestation
        • Integrate Okta with your MDM software
        • Add an app sign-in policy rule for mobile
        • Manage mobile device management configuration
      • Management attestation for desktop devices
        • Configuration workflow
        • Add an app sign-in policy rule for desktop
        • Manage desktop device management configuration
      • Configure a Certificate Authority
        • Client certificates
        • Configure Okta as a CA with static SCEP challenge for macOS with Jamf Pro
        • Configure Okta as a CA with static SCEP challenge for Windows using Workspace ONE
        • Configure Okta as a CA with dynamic SCEP challenge for macOS with Jamf Pro
        • Configure Okta as a CA with delegated SCEP challenge for macOS with Microsoft Intune
        • Configure Okta as a CA with delegated SCEP challenge for Windows with Microsoft Intune
        • Provide your own certificate authority
        • Management attestation FAQ
      • Managed app configurations
    • Endpoint security integrations
      • Get started
        • Prerequisites for endpoint security integration
        • Create an endpoint security integration app sign-in policy
        • Manage endpoint security integrations
          • Add an endpoint security integration
          • Edit an endpoint security integration
          • Delete an endpoint security integration
        • Manage endpoint security integration plugins for macOS
        • Manage endpoint security integration plugins for Windows
        • Validate your endpoint security integration
      • Android Device Trust integration
      • Chrome Enterprise integration
      • Device Posture Provider integration
      • EDR signals for custom expressions
    • Devices inventory
      • View device details
      • Device lifecycle
    • Device assurance
      • Add a device assurance policy
      • Configure advanced posture checks
      • Add user help for device assurance
        • Remediation messages
      • Add custom remediation for device assurance
      • Add device assurance to an app sign-in policy
      • Edit a device assurance policy
      • Delete a device assurance policy
      • System Log events
    • Notification services
    • Expression Language for devices
      • Expression Language attributes
      • Use custom expressions in authentication policies
  • Okta FastPass
    • Configure Okta FastPass
    • Configure a global session policy
    • Enable Okta FastPass
    • Configure an authentication policy
    • Authentication policy examples
    • Disable Okta FastPass
    • Okta FastPass FAQ
    • Known issues
    • Configure SSO extension on iOS devices
    • Configure SSO extension on macOS devices
    • Let users skip the Open Okta Verify prompt
  • Authentication
    • Multifactor authentication
      • Okta Verify
        • Okta Verify options
        • Release controls
        • User experience
        • Collected data types
        • Supported platforms
      • Custom Authenticator
      • Custom OTP
      • Duo Security
      • Email
        • Make email optional
      • Passkeys (FIDO2 WebAuthn)
        • Add the Passkeys (FIDO2 WebAuthn) authenticator
        • Customize the Passkeys (FIDO2 WebAuthn) end-user experience
        • Configure the Passkeys (FIDO2 WebAuthn) access controls
        • Configure the Passkeys (FIDO2 WebAuthn) authenticator groups
        • Customize the Passkeys (FIDO2 WebAuthn) relying party ID domain
        • Review and manage FIDO MDS and custom authenticators
        • Enroll a FIDO2 security key for a user
        • Passkeys (FIDO2 WebAuthn) support and behaviorFIDO2 (WebAuthn) support and behavior
      • Google Authenticator
      • IdP Authenticator
      • Password
        • Self-service account recovery
      • Phone (Voice Call/SMS)
      • Security Question
      • Smart Card IdP
      • Symantec VIP
      • Temporary access code
      • YubiKey OTP
      • Authenticator enrollment policies
        • Create an authenticator enrollment policy
        • Configure rules for authenticator enrollment policies
      • MFA for third-party agents
        • Okta On-Prem MFA agent (formerly RSA SecurID)
          • Add and configure On-Prem MFA/RSA SecurID
          • Disable SSL Pinning
          • Install the On-Prem MFA Agent
          • Configure high availability
          • Configure verbose logging
          • Uninstall and reinstall the agent
          • Swap On-Prem MFA/RSA SecurIDSwap On-Prem MFA/RSA SecurID
        • Okta MFA Credential Provider for Windows
          • Configure your Okta org for MFA Credential Provider for Windows
          • Assign users/groups to the Microsoft RDP (MFA) app
          • Install the Okta Credential Provider for Windows
          • Verify MFA for RDP sessions
          • Configure a system proxy account
          • Troubleshoot MFA issues for the MFA Credential Provider for Windows
        • Okta MFA provider for Active Directory Federation Services
          • Install and configure Microsoft ADFS in Okta
          • Install the Okta ADFS Plugin on your ADFS Server
          • Enable the Okta MFA Provider in ADFS
          • Add Access Control Policy to a Relying Party Application
          • Assign the Microsoft ADFS (MFA) application
          • Verify the Okta MFA prompt when signing in to ADFS
          • Enable OpenID Connect with existing Active Directory Federation Services apps
          • Enable MFA for Active Directory Federation Services (ADFS) as a service
          • Troubleshooting
          • Farm addendum
          • Uninstall the Okta ADFS Plugin on your ADFS Server
          • Configure MFA for Active Directory Federation Services (ADFS)
        • MFA for Electronic Prescribing for Controlled Substances - Hyperdrive
          • MFA for Electronic Prescribing for Controlled Substances - Flow
          • Install and configure Epic Hyperdrive in Okta
          • Install the Okta Hyperdrive Agent
          • Configure Hyperdrive to integrate with Okta
          • Configure a Chronicles device
          • Test the user sign-in process
          • Troubleshoot the Hyperdrive integration
    • Passwordless authentication
      • Set up a passwordless sign-in experience
      • Configure MFA for passwordless users
    • Phishing-resistant authentication
      • Phishing-resistant authenticator enrollment
      • Enable phishing resistance for Universal Windows Platform apps
      • Trusted app filters
    • Okta policies and rules
      • Global session policies
        • Create a global session policy
        • Add a global session policy rule
        • Edit a global session policy
        • Global session policy evaluation
      • Authentication policies
        • App sign-in policies
          • Create an app sign-in policy
          • Add an app sign-in policy rule
          • Assign apps to an app sign-in policy
          • Update an app sign-in policy
          • Use the Policy Insights Dashboard
          • Clone an app sign-in policy
          • Modify app sign-in policies for first-party apps
          • Preset app sign-in policies
          • Merge duplicate policies
          • Create device signal collection rules
          • Authentication method chain
          • Authentication scenarios
          • Biometric user verification in app sign-in policies
          • Device platform security
        • Okta account management policy
          • Edit the Okta account management policy
          • Enrollment of first phishing-resistant authenticator
          • Authenticator enrollment
          • Identity verification for account actions
          • Password recovery and account unlock
          • Enable password expiry
      • Access Testing Tool
    • Identity providers
      • Add a social login (IdP)
      • Add a SAML 2.0 IdP
        • Add a SAML Identity Provider
        • Add metadata for an Identity Provider
        • Configure Universal Directory mappings
        • Specify an error page for Identity Provider, SAML, or SSO
        • Customization options for inbound SAML
      • Add a Smart Card IdP
        • Format a PKI certificate chain
        • Add a Smart Card identity provider
          • Smart Card idpUser expressions
          • Expressions
        • Test the Smart Card or PIV card configuration
        • Troubleshooting Smart Card and PIV card authentication
      • ID verification vendors as IdPs
        • Add a preconfigured ID verification vendor
        • Add a custom ID verification vendor
        • Map profile attributes from Okta to an ID verification vendor
      • Identity provider routing rules
        • Configure identity provider routing rules
        • Configure dynamic routing rules
        • Modify routing rules
      • Generic OpenID Connect
      • Add an Okta Integration identity provider
      • Enable Single Logout for an identity provider
      • Redirect federated users to IdPs for re-authentication
    • RADIUS Integrations
      • Getting Started with RADIUS Integrations
        • About the Okta RADIUS Agent
        • Install and configure the RADIUS Agent
        • About creating Okta applications that use the RADIUS agent
        • Install Okta RADIUS server agent on Windows
          • Install the Okta RADIUS Server Agent for Windows
          • Configure properties
          • Access and manage log files
          • Troubleshoot the Windows RADIUS agent
          • Uninstall the Windows RADIUS agent
        • Install Okta RADIUS server agent on Linux
          • Install the RADIUS Linux server agent
          • Configure proxies
          • Configure properties
          • Manage the agent
          • Troubleshoot the Linux RADIUS agent
          • Access and manage log files
          • Uninstall the agent
        • Determine the RADIUS agent version
      • RADIUS Integrations
        • Amazon WorkSpaces
          • Prepare Amazon WS
          • Install and configure the RADIUS agent in AWS
          • Configure AWS inbound rules
          • Add the Amazon WorkSpaces app
          • Amazon Workspaces with MFA User Experience
          • Configure Amazon Workspaces MFA
          • Provision users
        • BeyondTrust
          • Add the BeyondTrust MFA (RADIUS) app
          • BeyondTrust optional settings
          • Configure the BeyondInsight gateway
          • Testing the BeyondInsight integration
          • Troubleshoot the BeyondInsight integration
        • Check Point
          • Check Point RADIUS integration flow
          • Add the Check Point Software (RADIUS) app
          • Configure the Check Point SmartConsole
          • Configure Check Point optional settings
          • Test the Check Point RADIUS integration
          • Troubleshoot the Check Point integration
        • Cisco Meraki
          • Cisco Meraki RADIUS integration flow
          • Add the Cisco Meraki Wireless LAN (RADIUS) app
          • Cisco Meraki optional settings
          • Configure Cisco Meraki to use the Okta RADIUS Agent
          • Configure wireless clients for Cisco Meraki
          • Troubleshoot Cisco Meraki integrations
        • Cisco ASA IKEv2 VPN
          • Add the Cisco ASA IKEv2 RADIUS app
          • Configure the Cisco ASA VPN to interoperate with RADIUS
          • Configure optional settings
          • Configure the Windows VPN
          • Configure trusted root CA
          • Test the Cisco ASA integration
        • Cisco ASA VPN
          • Add the Cisco ASA VPN (RADIUS) app
          • Configure the Cisco ASA gateway
          • Configure optional settings
          • Test the Cisco RADIUS ASA VPN integration
        • Cisco FMC
          • Add the Cisco VPN for Firewall Management Center RADIUS app
          • Configure Cisco Firewall Management Center
          • Test the Cisco Firepower Management Center integration
        • Citrix Netscaler
          • Citrix Gateway supported versions, clients, features, and factors
          • Add the Citrix Gateway (RADIUS) app
          • Configure the Citrix Gateway
          • Configure optional settings
          • Citrix Gateway end user experience
        • F5 BigIP APM
          • Add the F5 BIG IP RADIUS app
          • Configure F5 BIG IP APM gateway
          • Configure F5 BIG IP optional settings
          • Test the F5 BIG IP integration
        • Fortinet Appliance
          • Add the Fortinet Fortigate (RADIUS) app
          • Configure the Fortinet gateway
          • Configure optional settings
          • Test the Fortinet appliance integration
          • Troubleshoot the Fortinet Application integration
        • NetMotion Mobility
          • Add the NetMotion Mobility (RADIUS) app
          • Netmotion Mobility - Add trusted root certificate
          • Configure NetMotion Mobility to work with RADIUS
          • NetMotion Mobility user experience
        • Palo Alto Networks VPN
          • Palo Alto Networks supported features and factors
          • Add the Palo Alto Networks VPN (RADIUS) app
          • Configure Palo Alto Networks VPN to use the Okta RADIUS
          • Configure optional settings
          • Test the Palo Alto Networks VPN integration
          • Troubleshoot the Palo Alto Network VPN integration
        • Pulse Connect Secure
          • Pulse Connect Secure supported versions, and factors
          • Add the Pulse Connect Secure (RADIUS) app
          • Configure the Pulse Connect Secure gateway
          • Pulse Secure optional settings
          • Test the Pulse Connect Secure integration
        • Sophos UTM
          • Add the Sophos UTM (RADIUS) app
          • Configure the Sophos USM gateway
          • Sophos UTM optional settings
          • Test the Sophos UTM integration
        • VMWare Horizon View
          • Add the VMware Horizon View (RADIUS) app
          • Configure the VMware Horizon View Connection Server
          • VMware Horizon View optional settings
          • Test the VMware Horizon integration
        • Autopush for RADIUS
      • RADIUS applications in Okta
        • Add the RADIUS app
        • Configure the RADIUS customer application
        • Test the generic RADIUS integration
        • Client IP reporting
        • Okta group membership information for authorization
        • RADIUS service address filtering
      • RADIUS server best practices
        • About certificates
        • About the Okta RADIUS server agent
        • Okta RADIUS Server Agent flow
        • RADIUS deployment architectures
        • RADIUS session persistence best practices
        • RADIUS throughput and scaling benchmarks
        • RADIUS common issues and concerns
        • RADIUS server logging
        • RADIUS network zones
      • SAML integration advantages
  • Org-level security
    • Identity Threat Protection
      • Get started
      • Identity Threat Protection key concepts
      • Admin roles for ITP
        • Configure custom admin roles for ITP
      • Observability
        • System Log events
        • View risk detections by user
        • Reports
          • Session protection violation report
          • Entity risk report
          • At-risk user report
        • Dashboard widgets
          • Session protection violations
          • Entity risk detections
          • At-risk users
      • Session protection
        • Configure session protection
        • Session protection reporting
      • Entity risk policy
        • Add a rule
        • Risk detections
          • Breached credential detected
          • Entity critical action from high threat IP
          • Okta Threat Intelligence
          • Suspicious login from an IP flagged by FastPass
          • Suspicious login from an IP flagged in a credential based attack
          • This wasn't me
          • Session influenced user risk
          • Suspected brute force attack
          • Suspicious app access
          • Admin reported user risk
          • Security events provider reported risk
      • Bot protection
        • Configure bot protection for enforcement
        • Bot protection reporting
      • Universal Logout
        • Configure Universal Logout for supported apps
        • Universal Logout supported apps and devices
        • Third-party apps that support Universal Logout
        • Universal Logout revocations
        • Confirm the results of Universal Logout
      • Workflows
        • Create delegated flows for policy actions
      • Shared Signals Framework
        • Configure a shared signal receiver
      • Elevate or lower an entity risk level
    • Administrator roles
      • Learn about administrators
        • Custom admin roles
        • Super administrators
        • Organization administrators
        • Application administrators
        • Group administrators
        • Group membership administrators
        • Help desk administrators
        • Report administrators
        • Read-only administrators
        • API Access Management administrators
        • Access requests administrators
        • Access certifications administrators
      • Set up administrators
        • Use custom admin roles
          • Role permissions
            • Permission conditions
          • Work with the resource set component
            • Create a resource set
            • Edit a resource set
            • Resource set conditions
            • Create an admin assignment using a resource set
          • Work with the role component
            • Create a role
            • Edit a role
            • Create an admin assignment using a role
        • Use standard roles
          • Standard administrator roles and permissions
          • Edit resources for a standard role assignment
        • Work with the admin component
          • Create an admin role assignment using an admin
        • Configure help desk administrators
        • Configure third-party administrators
        • Remove an admin role assignment
        • Configure email notifications for an admin role
        • Configure administrator settings
        • Enable MFA for the Admin Console
      • Administrator resources
        • Administrators page
        • Best practices for group admin role assignments
        • Best practices for creating a custom role assignment
        • Guidance for structuring Okta groups
        • Get started with Okta
      • Govern Okta admin roles
        • Get started
        • Configure policies for Govern Okta admin roles apps
        • Access Requests for admin roles
          • Create an admin role bundle
          • Manage admin role bundles
          • Create an access request condition
          • Manage access request conditions
          • Manage an approval sequence
          • Request admin role assignment
          • Manage admin role access requests
        • Access Certifications for admin roles
          • Create campaigns to review admin roles
          • Manage campaigns
          • Review access to admin roles
    • Breached credentials protection
      • Configure breached credentials protection
      • Test your breached credentials protection configuration
      • User experience with breached credentials protection
    • General Security
      • Keep me signed in
    • Protected actions in the Admin Console
    • HealthInsight
      • About HealthInsight
      • HealthInsight tasks and recommendations
        • Limit the number of super admins
        • Enforce a limited session lifetime for all policies
        • Suspicious Activity Reporting
        • Sign-on notifications for end users
        • Authenticator enrolled notification email for end users
        • Authenticator reset notifications for end users
        • Password changed notification for end users
        • Enable SAML or OIDC authentication for supported apps
        • Change the authentication frequency
        • Evaluate a risk score for each request
        • Blocklist network zones
        • Enable strong password settings for password policies
        • Select authenticators required for enrollment
        • MFA for the Admin Console
        • Blocklist proxies with high sign-in failure rates
        • Enforce Content Security Policy (CSP) for customized sign-in and error pages
    • Network zones
      • Network zone types
        • IP zones
          • IP exempt zone
        • Dynamic zones
        • Enhanced dynamic zones
          • Supported IP service categories
      • Manage network zones
        • Create an IP zone
        • Create a dynamic zone
        • Create an enhanced dynamic zone
        • Edit or delete a network zone
        • Add IPs to a network zone from the System Log
      • Use network zones in your org
        • Generate a Proxy IP report
        • Add a network zone to policies
        • Create a network zone for IWA
        • Troubleshoot network zone issues using System Log
        • Use network zones with VPN notifications
        • Use zones in routing rules
        • Unblock false positives in System Log
      • Network zones FAQ
    • Recent Activity
    • Risk scoring
    • Behavior Detection and evaluation
      • About Behavior Detection
        • Improved New Device Behavior Detection
      • About behavior types
      • Behavior Detection System Log events
      • About behavior and sign-on policies
        • Add behavior condition in an app sign-in rule
        • Add behavior to a Global Session Policy rule
      • Configure Behavior Detection
        • Add a location behavior
        • Add IP behavior
        • Add device behavior
        • Add a velocity behavior
        • Add an ASN behavior
        • Manage behavior settings
        • Reset the user behavior profile
      • Risk and behavior evaluation
      • Behavior Detection and risk evaluation FAQ
    • ThreatInsight
      • About Okta ThreatInsight
      • Configure Okta ThreatInsight
      • Exclude IP zones from Okta ThreatInsight evaluation
      • System Log events for Okta ThreatInsight
      • HealthInsight reporting on Okta ThreatInsight
    • Telephony
      • Choose telephony provider
      • Regulatory compliance
      • Prevent or mitigate telephony-based fraud
      • Configure and use telephony
      • Configure telephony providers through the Admin Console
      • Configure a telephony provider through an inline hook
      • Configure Workflows for Telephony
    • API access management
      • Build authorization servers
        • Create an authorization server
        • Create API access scopes
        • Create API access claims
        • Create access policies
        • Test your authorization server configuration
        • Add trusted servers
        • Rotate signing keys
        • Encrypt access tokens for authorization servers
        • Delete an authorization server
      • Manage Okta API tokens
      • Configure Trusted Origins
        • Trusted Origins for iFrame embedding
    • Allow access to Okta IP addresses
    • Mitigate the impact of third-party cookie deprecation
  • Identity Governance
    • Overview
    • Access Certifications Access Certifications
      • Campaigns
        • Get started
        • Customizable reviewer context
        • Governance analyzer
        • Configure Governance Analyzer settings
        • Best practices for creating campaigns
        • Create preconfigured campaigns
          • Discover inactive users campaign limits
        • Create resource campaigns
        • Create user campaigns
        • Recurring campaign considerations
        • Examples of Okta Expression Language
        • Understand Disable self-review
        • Understand remediation
        • Assignment methods
        • View the progress of an active campaign
        • View previously completed campaigns
        • Copy campaigns
        • Modify a scheduled campaign
        • Modify campaign's end date
        • Certification campaign reviews
          • Review campaigns
          • Reassign review items
      • Security access reviews
        • Get started
        • Launch a security access review
        • Understand remediation
        • Understand prioritization
        • Manage Security Access Reviews
        • Review access
    • Access Requests
      • Get started
      • Conditions
        • Configure policies for Access requests apps
        • Configure settings
        • Create a condition
        • Create an access request condition for a resource collection
        • Manage access request conditions
        • Configure an approval sequence
      • Request types
        • Configure your Okta org for request types
          • Create a team
          • Modify a list
        • Create a request type
        • Configure a request type associated with bundles
        • Request type settings
        • Create a sample Request Type
      • Create requests
        • End-User Dashboard
        • Access Requests web app
        • Slack
        • Microsoft Teams
      • Manage tasks
      • Escalate tasks
      • Manage requests
      • Export data
      • Notifications
    • Entitlement Management Entitlement Management
      • Get started
      • Considerations and limits
      • Provisioning-enabled apps
        • Apps with entitlement support
        • Configure a provisioning-enabled app
        • Provisioning-enabled app limits
        • Coupa requirements
        • GitHub Team requirements
        • Google Workspace requirements
        • NetSuite requirements
        • Salesforce requirements
        • Workday requirements
      • Enable Entitlement management
      • Create campaigns to audit entitlements
      • Entitlements
        • Create
        • Manage
        • Sync entitlements from provisioning-enabled apps
        • Revoke entitlements in downstream apps
      • Entitlement policy
        • Create policy
        • Examples of Okta Expression Language
        • Preview policy
        • Apply policy
        • Manage policy
      • Entitlement bundles
        • Create
        • Manage
    • Resource collections
      • Get started with resource collections
      • Create a resource collection
      • Manage resource collections
      • Manage resource collection assignments
      • Manage resource collection apps
    • Separation of duties
      • Get started with separation of duties
      • Create separation of duties rules
      • Manage separation of duties rules
      • Understand separation of duties conflicts
    • User and resource management
      • Resource owners
        • Assign resource owners
        • Change resource owners
        • Remove resource owners
      • Resource labels
      • Group ownership
        • Configure Okta group owners
        • Import from Active Directory
      • Update group profile attributes
        • Add custom attributes to the default group profile
      • Assign entitlements to users
      • Import user entitlements from CSV
      • Manage user entitlements
      • View user entitlements
      • Governance delegates
        • Assign delegate from the Admin Console
        • Manage delegates
        • Governance tasks for delegates
    • Settings
      • Enable end users to assign delegates
      • Integrations
        • Considerations and best practices for integrating Slack and Microsoft Teams
        • Integrate Slack
        • Configure settings for Slack
        • Integrate Microsoft Teams
        • Integrate Jira
        • Integrate ServiceNow
      • Enable AI
      • Allow requesters to escalate tasks
    • Reports
      • Active Campaign Summary
        • Column reference
      • Active Campaign Details
        • Column reference
      • Past Campaign Details
        • Column reference
      • Past Campaign Summary
        • Column reference
      • Auditor reporting package
        • Generate the auditor reporting package
      • Past Access Requests report
      • Past Access Requests (Conditions) report
      • Separation of duties report
      • User Entitlements report
  • Okta Privileged Access Okta Privileged Access
    • Requirements and limitations
    • Get started with Okta Privileged Access Okta Privileged Access
      • Set up Okta Privileged Access
      • Configure group sync
    • Users and Groups administration
      • Groups
      • Service users
    • Resource administration
      • Resource groups
      • Resource assignment
      • Manage service accounts
        • Certify service accounts
      • Manage Active Directory accounts
        • Requirements and limitations
        • Get started with Active Directory accounts
        • Grant Okta Active Directory (AD) agent password management permissions
        • Set up Active Directory domains
        • Active Directory account rules
          • Set up Active Directory account rules
        • Manual account assignment
        • Windows domain controller
      • Projects
        • Servers
        • Secrets
          • Secret folders
        • Okta service accounts
        • SaaS app service accounts
        • Active Directory accounts
      • Sudo command bundle
        • Create a sudo command bundle
      • System Configuration
    • Security administration
      • Security policy
        • Add rules to a policy
        • Rule conditions
      • Okta Privileged Access with Access Requests
      • Multifactor authentication
      • Privileged elevation
      • Checkout
        • Enable checkout
        • Force a checkin
    • Workloads
      • Requirements and limitations
      • Get started
      • Configure workload connection
      • CLI command for workload authentication
      • Configure workload roles
      • Principal SSH access for automated workloads
    • User guide
    • Deploy and manage servers
      • Install the Okta Privileged Access server agent
        • Install the Okta Privileged Access server agent on Red Hat (RHEL), Amazon Linux, or Alma Linux
        • Install the Okta Privileged Access server agent on SUSE Linux
        • Install the Okta Privileged Access server agent on Ubuntu or Debian
        • Install the Okta Privileged Access server agent on Windows
      • Server Enrollment
        • Create a server enrollment token
        • Verify server enrollment
        • Unenroll a server from Okta Privileged Access
      • Managed Okta Privileged Access server agent
        • Customize SSHD configurations for servers
        • Configure agent lifecycle management hooks for Okta Privileged Access
      • Configure the Okta Privileged Access server agent
    • Okta Privileged Access clients
      • Install the Okta Privileged Access client
        • Install the Okta Privileged Access client on macOS
        • Install the Okta Privileged Access client on Red Hat (RHEL), Amazon Linux, or Alma Linux
        • Install the Okta Privileged Access client on SUSE Linux
        • Install the Okta Privileged Access client on Ubuntu or Debian
        • Install the Okta Privileged Access client on Windows
      • Enroll the Okta Privileged Access client
        • Silently enroll the Okta Privileged Access client
      • Use the Okta Privileged Access client
      • SFT keyring
      • URL handler
      • SSH setup
        • Customize SSH configurations for clients
      • RDP setup
      • Configure clients for use with Okta Privileged Access
        • Configure Cygwin for Okta Privileged Access
        • Use PuTTY for Okta Privileged Access
        • Configure Royal TSX for Okta Privileged Access
        • Use WinSCP for Okta Privileged Access
    • Gateways
      • Install the Okta Privileged Access gateway
        • Install the Okta Privileged Access gateway on Red Hat (RHEL), or Amazon Linux
        • Install the Okta Privileged Access gateway on Ubuntu or Debian
      • Create tokens and labels
      • Configure the Okta Privileged Access gateway
      • Manage the Okta Privileged Access gateway
      • Session recording
        • Enable session recording on a project
        • Install the RDP Session transcoder
        • Manage session logs
      • Okta Privileged Access gateway capacity planning
      • Okta Privileged Access gateway high availability
    • Audit Events Integration with Okta System Log
    • Kubernetes access management
      • Configure Kubernetes access management
      • Kubernetes cluster connections
    • Reference
      • Roles and permissions
      • Okta Privileged Access accounts
      • Components
      • User attributes
        • Configure team-level user attributes
        • Import user attributes using custom mappings
        • Attribute conflicts
      • Okta Privileged Access port requirements
      • Security policy concepts
      • Server name resolution
      • Secret permissions
      • User management
        • User management in Linux
        • User management in Windows
      • Windows Internals
      • Supported SaaS apps
      • Supported operating systems
      • Get support
  • Automations and hooks
    • Automations
      • Add an automation
    • Inline hooks
      • Add an inline hook
      • Preview an inline hook
      • View usage metrics for your inline hooks
      • Delete an inline hook
      • Manage keys
    • Event hooks
      • Create an event hook
      • Edit an event hook filter
        • Okta Expression Language
      • Verify an event hook
      • Preview an event hook
    • Delegated flows
      • Run a delegated flow
  • User experience
    • Account settings
      • Set up contacts
      • Give access to Okta Support
      • Enable the Directories Debugger
      • Configure client-based rate limiting
      • Set up rate limit notifications
      • Configure your email notifications
      • Configure embedded sign-in support
    • Branding
      • Set a theme for your org
      • Customize your sign-in page
        • Understand Sign-In Widget color customization
      • Customize an error page
      • Apply your theme to Okta email notifications
      • Customize the footer for your org
      • Configure associated domains
      • Disable the Okta loading page
    • Custom email and SMS templates
      • Customize an email template
      • Customize a forgotten password recovery email
      • Test a customized email template
      • Customize an SMS message
      • Configure a custom email address
      • Velocity Template Language
    • Customization settings
      • Customize personal information and password management
      • Configure optional user account fields
      • Customize a sign-out page
      • Configure a custom application error page
      • Customize the access denied error message
      • Customize the Content Security Policy (CSP) for a custom domain
      • Configure the Okta Browser Plugin settings
      • Configure a custom domain
      • Use your own email provider
      • Org display language
    • Okta Personal for Workforce
      • Configure interface updates
      • Configure app migration to Okta Personal
      • Okta Personal for Workforce user experience
    • Okta End-User Dashboard
      • End-user experience
      • Control access to the Okta End-User Dashboard
      • Recently used apps
      • Manage dashboard tabs for end users
      • Disable Okta communications to end users
    • Okta End-User Settings
    • Okta Browser Plugin
      • Security features
      • Allow users to add apps
      • Control access to the Okta Browser Plugin
      • Configure custom end-user portals
      • Prevent browsers from saving credentials
      • Okta Browser Plugin permissions for web extensions
      • Manage installation and upgrade
      • Make apps detectable to the Okta Browser Plugin
      • Silent installations
        • Chrome
        • Firefox
        • Internet Explorer
      • Supported browsers
      • End of support for TLS 1.1
    • User enrollment
      • Profile enrollment
        • Self-Service Registration
        • Progressive enrollment
        • Sign-in flows
        • End user sign-in process
      • Configure user profile policies
        • Create a user profile policy
        • Add apps to a user profile policy
        • Collect profile information and register users
        • Create a custom profile enrollment form
        • Understand attribute rules for the profile enrollment form
        • Reassign a user profile policy
        • Delete a user profile policy
        • Multiple identifiers
        • Add identifiers to a user profile policy
      • Set up a default app redirect
    • Enable self-service features
    • Okta first-party App Switcher
  • References and specifications
    • Supported operating systems and browsers
      • Supported OS levels
    • Object IDs
    • Supported Okta email address characters
    • Supported display languages
    • Okta agent support policies
    • Okta disaster recovery
      • Initiate failover and failback for your org
    • Downloads and version histories
      • Okta Active Directory agent version history
      • Okta Active Directory Password Sync agent version history
      • Okta ADFS Plugin version history
      • Okta Browser Plugin version history
      • Okta Confluence Authenticator version history
      • Okta Hyperdrive agent version history
      • Okta Hyperspace agent version history
      • Okta Jira Authenticator version history
      • Okta LDAP agent version history
      • Okta MFA Credential Provider for Windows version history
      • Okta On-prem Connector version history
      • Okta On-Prem MFA agent version history
      • Okta Oracle Access Manager Plugin Version History
      • Okta People Picker for Sharepoint agent version history
      • Okta Provisioning agent and SDK version history
      • Okta On-prem SCIM Server agent version history
      • Okta RADIUS Server agent version history
      • Okta Secure Access Monitor plugin version history
      • Validate agent downloads
    • Documentation for end users
    • Identity Engine for developers
    • Sign-In Widget (third generation)
    • Migrate policies and apps from Microsoft Entra ID to Okta
      • Migration tasks
      • Prepare for the migration
      • Migrate policies
      • Migrate apps
      • Configure bookmark apps
      • Complete your Okta setup
    • Okta architecture models
      • Okta for mergers and acquisitions
        • Acquired company uses Okta
        • Acquired company uses external IdP
        • Acquired company uses AD or LDAP
      • Okta phishing resistance
        • Require phishing-resistant authentication with pre-enrolled YubiKey
          • Create phishing-resistant app sign-in policies
          • Set up Okta Workflows for YubiKey shipment
          • Order pre-enrolled YubiKeys
          • User experience
    • Glossary
  1. App integrations
  2. Provision apps
  3. Provision on-premises apps
  4. Create and test SCIM connectors

Create and test SCIM connectors

Create and test the connectors that send and receive the SCIM communications between the Okta Provisioning Agent and the on-premises app using their API interfaces.

Topics

  • Create SCIM connectors for on-premises provisioning
  • Test SCIM connectors for on-premises provisioning
  • SCIM messages for on-premises provisioning

© Okta, Inc. All Rights Reserved. Various trademarks held by their respective owners.

Top