The Okta Integration Network (OIN) is a catalog of thousands of pre-integrated applications that make it easy to manage authentication and provisioning for all of your users. We offer the industry’s broadest and deepest set of integrations, and we constantly monitor the network, maintaining connections and adding new ones by the day.
Okta enables you to provide SSO access to cloud, on-premise, and mobile applications. You sign into Okta and you can then launch any of your web apps without having to reenter your credentials. Okta establishes a secure connection with a user's browser and then authenticates the user to Okta-managed apps using one of two SSO integration methods:
Okta provides access to cloud apps with the Okta Integration Network (OIN), a collection of thousands of supported applications. SSO protocols and provisioning APIs are maintained by Okta. The applications in the OIN can use SWA, SAML or OpenID, or proprietary APIs.
Okta also provides integrations for on-premise web-based applications. You can integrate on-premise apps using SWA for SSO, SAML toolkits, and support for provisioning and de-provisioning into applications that expose provisioning APIs publicly.
Okta provides integrations for mobile apps whether they are HTML5 web apps optimized for mobile platforms, Native iOS, or Android apps. You can access any web application in the OIN with SSO from any mobile device. Mobile web apps can use industry-standard SAML or Okta’s SWA SSO technology. Native applications like Box Mobile can be integrated using SAML authentication for registration and OAuth for ongoing usage.
About SWA Apps
SWA was created for apps that do not support federated SSO. When you enable SWA for an app, end users see a link below their app icon on their My Applications page. Selecting the link enables them to set up and update their credentials for that app. Okta stores the end user's credentials in an encrypted format using strong AES encryption combined with a customer-specific private key. When end users click an application icon, Okta securely posts their credentials to the app login page over SSL and the user is automatically signed in.
By configuring users' sign-in options, you can make their SWA credentials match their Okta credentials so additional sign-ins are not required after you have signed into Okta.
When you configure your sign-in options, you can set up SWA so that
Note: The SWA sign-in options are not configurable when Push Okta password is configured as a provisioning option.
Administrator Sets Username and Password
This second option on the Sign On tab is one that provides the most robust level of admin control. It allows the admin to set all usernames and passwords for an app instance, after which the credentials are never exposed to their Okta end-users. This option provides a way to shut off user access to the credentials of sensitive apps. For this to work, ensure that the user does not have an alternative way to reset their app's password. It is also useful for cases where admins must supply a new, obfuscated password to an Okta user—no active communication with the user is required.
To set the usernames and passwords for a particular SWA app, do the following:
Note: The admin-created password can only be viewed when initially created. After sending, the password is no longer visible to the admin. To change the password, it must be reset in the downstream app, then reset in Okta.
If the chosen app was previously assigned to an established Okta group, please note that group members do require the individual, manual updates of usernames and passwords for each user.
The Reveal Password feature is disabled for this option, as end-users will never have access to their passwords.
About SAML Apps
Okta provides integration toolkits to enable apps that are not in the OIN to support SAML. You can obtain SAML integration toolkits for .NET, Java, and PHP platforms.
SSO for Active Directory-Authenticated Web Apps
You can integrate on-premise web apps with Okta. On-premises web apps that use Active Directory (AD) credentials for authentication do not use Integrated Windows Authentication (IWA), but instead require users to enter their AD credentials when they sign in on a browser. When you configure Okta to delegate authentication to AD, signing in to internal web apps can also be automated.
Here's how Okta enables SSO for AD-authenticated internal web applications:
Okta uses SWA to automatically sign users into internal web apps. When you configure an internal web application to delegate authentication to AD (the same source to which Okta delegates authentication), Okta captures the user’s AD password during the sign-in process and automatically sets that password for that user in any applications that also delegate to AD. This enables users to click a link to access these apps, and then sign in automatically. Okta synchronizes the AD password securely. If the password is later changed in AD, this event is captured during sign-in to Okta and immediately updated in the secure password store for that app, ensuring that the next sign-in attempt is successful.
About Template Apps
There are two common SWA template apps that you can use to create apps on demand—one that does a POST to a sign-in page (the Template App) and one that uses a plugin to POST (the Template Plugin App). These template apps allow you to create application integrations in real-time on a running system.
About the Browser Plugin
The Okta browser plugin enables you to automatically sign into applications that would otherwise require you to manually enter your credentials. For more information on the browser plugin, see About the Browser Plugin.
Okta Mobile uses SSO to extend its functionality to apps on iOS and Android devices. The Okta Mobile application provides an embedded Okta browser and app menu. You can download and install the Okta Mobile app from the Apple App store and Google Play store. For details on distributing mobile apps to end users, see Enable access to managed mobile apps.
Note: Not all public mobile apps available from the Apple and Google app stores are available for distribution to OMM-enrolled users through the App Store accessible through Okta Mobile. (Mobile App store for iOS device end users; Play for Work for Android device end users.) Before you can distribute a public mobile app to your end users through OMM, Okta Support must add it to the Okta Integration Network (OIN). To submit a request to add a public app to the OIN, open a case and provide the app name and the link to the app in the appropriate app store. Screenshot
You can optionally configure Microsoft Exchange ActiveSync (EAS) to synchronize your users' mobile devices with your Exchange server. EAS is a protocol that enables your mobile devices to connect to your Exchange server. This pushes end users' email, calendar, and contacts directly to their device(s).
Note: Google's implementation of Microsoft Exchange ActiveSync (EAS) is not available for free Google accounts. It is available for paying G Suite for Business, Education and Government customers.
If you use Office 365 or G Suite, this is an important configuration procedure you must complete for each app that connects with your Exchange server.
To configure EAS:
If you configured EAS, even changed passwords are pushed to your users' devices, so users do not need to enter passwords.
But if AD Delegated Authentication is enabled, you must do one of the following in order for the device to be updated with a new password:
About the App Integration Wizard
You can use the App Integration Wizard to create your own app. The App Integration Wizard allows you to create custom SWA, SAML 2.0, and OpenID Connect (OIDC) apps. For more information on the App Integration Wizard, see Using the App Integration Wizard.