About the Okta Browser Plugin
The Okta browser plugin enables you to automatically sign into applications that would otherwise require you to manually enter your credentials (e.g., applications that do not support SAML or a direct form POST to a URL). Using the plugin enables you to use SSO for a broader range of applications. To enhance security, the plugin only works with trusted and verified sites. If you have not installed the browser plugin but you have one or more applications that require it, a notice is published on your applications page along with a link to the plugin installation file.
After you have installed the plugin
When you start an app from your Okta Home page, a new browser tab opens to the app's URL. The plugin uses an encrypted SSL connection to obtain authentication information and other required information from Okta, and then applies that information to the page. The plugin does not store your credentials after authentication is complete.
Browser plugins are updated frequently. You are prompted to install the latest version if necessary. For a history of the latest versions, see the Browser Plugin Version History page.
About Okta browser plugin functionality
The plugin provides the following functionality:
Note: Do note select the option Never remember history in the Firefox browser, as doing so it makes the Okta browser plugin inoperative.
Enable the Okta browser plugin functionality
The Okta Browser Plugin functionality is automatically enabled for the Everyone group. To change that, do the following:
The Okta Browser Plugin provides several features to enhance the security of your users' credentials.
The plugin uses SSL to obtain your credentials from Okta. When you start an Okta-managed app that requires the plugin, the Okta Plugin popup banner offers to let Okta autofill your credentials. If you accept, the plugin obtains your credentials from Okta using SSL. If you have the automatic submission option selected, this process occurs automatically.
Authentication is a background process in which your credentials are stored temporarily in a place that is inaccessible to the app's sign-on page. The plugin attempts to simulate the process of completing the sign-on page by inserting your credentials into the page, submitting them, and then deleting them after the page redirects. This connection is HTTPS or HTTP depending on the target URL of the app. We highly recommended you use HTTPS when configuring an app.
SSL Certificate Pinning (Internet Explorer)
The Okta browser plugin for Internet Explorer supports SSL pinning to protect against MiTM attacks. A successful MiTM attack might be able to sniff user credentials, session identifiers, and other sensitive information. Using SSL pinning, the Okta IE browser plugin maintains – or pins – a list of previously-validated and trusted server certificates. When the user browses to a website, the plugin retrieves the site's certificate and compares it to its list of trusted server certificates. If the comparison fails, Okta denies connection to *.okta.com and *.oktapreview.com and prompts the user to contact Okta Support.
Important note: If your enterprise uses web proxies to perform SSL interception or employs other data loss prevention strategies, you need to configure your environment to work with the Okta IE browser plugin.
URL string matching
The plugin checks the strings in your app's URL to ensure that they match the strings in Okta's integration details for that app. This ensures that your credentials are submitted to the correct URL. The table below displays the strings that the plugin looks for, whether or not the string is required, and what format the plugin expects to see.