Configure Native to Web SSO

Early Access release. See Enable self-service features.

Native to Web SSO allows authenticated users to transition seamlessly between trusted native and web apps using a single-use interclient token.

As an admin, you can choose which native apps are allowed to exchange tokens with Okta for access to a target web app. Using a single-use interclient token, native apps can seamlessly redirect users to target web apps and grant policy-driven access.

Add a native app to an allowlist

On the app page, you can define a list of native apps that can request a single-use web SSO token from the app that you're configuring.

  1. Go to Applications > Applications and open a SAML or OIDC app that you want to set as the client app.

  2. Click the Sign On tab.

  3. In the Single use native to web exchange section, click Add app. The Add apps dialog appears.

  4. Select up to five OIDC apps that you want to allow to request a single-use web SSO token from the client app.

  5. Click Done.

Remove an app from an allowlist

You can revoke an app's ability to request a single-use web SSO token from a client app.

  1. Go to Applications > Applications and open a SAML or OIDC app.

  2. Click the Sign On tab.

  3. In the Single use native to web exchange section, find the app that you want to remove from the allow list.

  4. Click the delete icon. The Remove application dialog appears.

  5. Click Remove application.