Configure Trusted Origins

A Trusted Origin is a security-based concept that combines the URI scheme, hostname, and port number of a page. All cross-origin web requests and redirects from Okta to your organization's websites must be explicitly allowed.

Use the Trusted Origins tab on the SecurityAPI page to grant access to websites that you control and trust to access your Okta org through the Okta API. For developers, see Trusted Origins API.

The following admin configurations require Trusted Origins:

Orgs can use WebAuthn for sign-in pages hosted at Trusted Origins that are different from the org's Okta or custom domain URL. WebAuthn, however, requires the HTTPS protocol. Specify HTTPS, and not HTTP, when you configure a Trusted Origin for this use case.

Complete the following steps to add a Trusted Origin.

  1. In the Admin Console, go to SecurityAPI.
  2. Select the Trusted Origins tab.
  3. Click Add Origin.

  4. Enter the Name and the Origin URL.

    The Origin URL must use one of the following schemes: HTTP, HTTPS, FTP, Ionic 2, or Capacitor.

  5. Select the origin's type:
    • CORS: Cross-Origin Resource Sharing (CORS) allows JavaScript hosted on your websites to make an XMLHttpRequest to the Okta API using the Okta session cookie.

      CORS is a standard browser feature that allows JavaScript hosted on your websites to make an XMLHttpRequest (XHR) to the Okta API with the Okta session cookie.

    • Redirect: This type allows browser redirection to your org's trusted websites after signing in or out.
    • iFrame embed (origin): This type allows iFrame embedding of Okta sign-in pages, Okta resources, and the Okta End-User Dashboard. See Trusted Origins for iFrame embedding.
  6. Click Save.