Configure whether user passwords and personal information are managed by Okta or externally
If you provide your users an external application through which to manage their personal information and/or password, use the options in this section to configure custom redirect links to that application. The links will appear in your users' Account page. The Forgot password? link on the Okta Sign In page will also redirect to the change password redirect URL, if configured. You can also add link labels and custom messages.
Note: Due to a lack of broad support across various browsers, do not use X-Frame-Options to host the custom personal information or change password flows that you configure in this section, as Okta loads these flows as iframes.
Select the appropriate option to specify whether users' passwords are managed in Okta or by a different application.
Note: If you select Password is managed by a different application, you must also enter values in the Expired Password section.
This option allows you to redirect end users whose password has expired to a website that presents your org's password recovery instructions.
When you enable the secondary email option, your end users can provide a secondary email address in their Accounts page to which password reset and account creation notices are sent. If this option is disabled, such notices are sent only to your end users' primary email address.
You can configure a security image to appear when users enter a valid Okta username in the Sign-In page. The appearance of the security image helps protect end users against phishing attacks. When a security image is configured, users signing in to Okta for the first time are prompted to select an image. The browser receives a cookie containing the selected security image. The cookie is signed by the site certificate to ensure that an attack site cannot access and load the security image. When users recognize their selected security image, they are reassured that they are logging in to their org.
Note: Because the browser must first create the cookie before displaying the image, the security image is not displayed in the following circumstances:
Okta recommends using Multifactor Authentication (MFA) as a further layer of Security.
Some apps must be manually deprovisioned. When this option is enabled, the Deprovisioning Task Manager helps admins keep track of these tasks by listing them in Dashboard > Tasks. When disabled, Okta does not alert you with tasks or send you emails when you deactivate or unassign an application from a user.
Just In Time (JIT) provisioning enables automatic user account creation in Okta the first time a user authenticates with AD Delegated Authentication, Desktop SSO, or inbound SAML.
JIT account creation and activation only works for end users who are not already Okta end users. (JIT updates the accounts of existing end users during full imports.) This means that end users who are confirmed on the import results page, regardless of whether or not they were subsequently activated, are not eligible for JIT activation. When JIT is enabled, users do not receive activation emails.
When using JIT provisioning with AD users, the procedure depends on whether delegated authentication is enabled.
To enable JIT, click Edit under Just In Time Provisioning, and then click Enable Just In Time Provisioning.
You can configure browser plugin settings to manage plugin installations and upgrades, as well as some browser behaviors. This option is useful in locked-down environments where end users can't install or manage the Okta Plugin on their computers.
Enable this option to allow your org to embed Okta in an iFrame.
You can specify an org-wide display language for all end users, and individual end users can specify their own language for their own experience. The user's preference overrides the org-wide display language setting.
What's not localized
Existing end users (activated) — Okta evaluates these sources in the following order to determine which supported language is displayed to activated end users in their Okta instance:
New end users (not activated) — The Welcome email that Okta sends to new end users is localized in the language in users' locale property (if specified) instead of the display language configured for your org (if different).
To set or change the default language for your entire org, do the following:
End users can select from a list of supported languages to customize their own Okta experience. The End users see the Okta user interface in their selected language after they are fully authenticated into Okta. Also, all Okta-generated emails sent to these end users are localized in their selected language.
You can customize the headings, links, and labels on the Sign In Page. You can also customize the placeholder text that appears in recovery flows when end users click account recovery links (for example, Forgot password and Unlock account). Screenshot.
Note: For the Sign-In page to display correctly, your browser must be at least 750px in height.
Note: Although Okta displays default labels, links, and headings in the end user's Display language or the browser language, Okta does not display localized versions of your custom text and links. If you entered custom text and links in a different language than the end users' Display or browser language, the Sign-In page will have text in more than one language.
You can change the page to which users are redirected when they sign out of Okta.
If end users try to access an app that has not been assigned to them, you can configure Okta to redirect them to the default Okta URL or to a custom URL that you provide. Unassigned users are more likely to try to access apps if you embed app links in your portal or other sites outside of Okta.
Note: This is a global setting. To specify a custom error page for an individual app, see Redirect unassigned users to a custom error page.
To specify a custom error page for all apps:
You can disable the default Okta loading animation (interstitial page) that appears when users are redirected to custom applications. End users are shown a blank interstitial page, instead. This allows you to present a more branded end-user experience.
Through the Windows registry, you can prevent the Okta IE browser plugin from inspecting specified URLs for the presence of login and change password forms. This effectively creates a blacklist of URLs that the plugin will not inspect. In some cases, this may allow pages to load faster.