Migrating to TLS 1.2 Skip to main content
https://support.okta.com/help/oktaarticledetailpage?childcateg=&id=ka02a0000005ub4saa&source=documentation&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fdocumentation%2fknowledge_article%2fmigrating-to-tls-1-2
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Migrating to TLS 1.2
Published: Feb 1, 2018   -   Updated: Jun 29, 2018

On August 1, 2018 Okta will no longer support Transport Layer Security (TLS) 1.0 or 1.1 protocols due to known security vulnerabilitiesIn keeping with industry standards and best practices, Okta will migrate to TLS 1.2 for all components, and will deploy the new functionality according to the schedule below. This change affects inbound connections to Okta only.  Provisioning connections continue to support TLS 1.0, 1.1, and 1.2.

This document contains all the information you need to be prepared for this upgrade.

Schedule

DateEvent
3/1/18New and reactivated Preview and Production orgs only support  TLS 1.2 (no TLS 1.0 or 1.1 support)
8/1/18Rollout begins for active, existing Preview and Production orgs to support TLS 1.2 ONLY
8/1/18Support stopped for  TLS 1.0 and TLS 1.1 connections

What You Need to Do

You must take action if you are in any of the following situations:

  • You or your users use old versions of browsers
  • You use old Okta agents
  • You, your developers, or integrators have connections to the Okta API (integrations) that are made from software that doesn't support TLS 1.2

The rest of this section contains instructions and links for addressing these three situations: browsers, agents or other downloaded software, and integrations.

1. Test Your Browser

  1. Confirm you already have a supported browser, as listed below.
  2. Ask all users to use a supported browser and upgrade to the latest mobile OS. 
  3. Check caniuse.com to ensure you're using a browser that supports TLS 1.2, and verify that you've enabled TLS 1.2 in the browser. 
  4. Because some versions of Internet Explorer require configuration to support TLS 1.2, you may need to configure them: Instructions for IE configuration for TLS 1.2
  5. For Windows 7 operating systems, TLS 1.2 is disabled, Please refer to Microsoft article for more information.

Supported Browsers

BrowserVersionPlatforms (If Applicable)Notes
Note: For details about Okta browsers and TLS support, see here.
Google Chrome30+  
Mozilla Firefox27+  
 ESR 31+  
Microsoft Internet Explorer10Server 2008 R2/ Windows 7 and 8*Disabled by Default (See Below)
 11Server 2012 / Windows 10Enabled by Default
Microsoft EdgeAllWindows 10 
Apple Safari7+OS X 10.9 + 
Apple Safari (Mobile)iOS 5+  

*How to enable TLS 1.2 in Internet Explorer
  • Open Internet Explorer
  • From the menu bar, click Tools >  Internet Options > Advanced tab
  • Scroll down to the Security category and check the option boxes for Use TLS 1.1 and Use TLS 1.2
  • Click OK
  • restart Internet Explorer

 

2. Update Okta Components

Use the following list to verify that you've updated all the Okta components that you use, and to find new versions if you need to update. You can check the version number of your Okta agent here: How do I check the version number of my Okta agents?.

The following table shows the minimum versions of Okta components required to support TLS 1.2. GA versions of agents are available by navigating to the Settings > Downloads page in your Okta organization. Some EA version are only available from the links provided here. If additional instructions are available, links are provided below.

Version of agents marked with an were released after March 30, 2018.

Agent
Name
Minimum GA
Version
Minimum EA VersionAdditional
Installation Information
Okta RADIUS Agent*2.7.1 Instructions
Okta On-Prem MFA Agent (including RSA SecurID) *1.3.41.3.6Instructions (scroll to "Upgrading from an Existing MFA Agent") 
Okta SSO Integrated Windows Authentication Web Application*1.10.41.11.4 
On-Premise Provisioning Agent1.2.2 - Instructions
AD Password Sync*1.3.5 -  
LDAP Agent5.4.25.4.5Instructions
AD Agent3.4.103.4.11Instructions
Okta Windows Credential Provider* - 1.1.2https://<your-org-name>-admin.okta.com/static/rdp/OktaWinLoginAgent-1.1.2.zip after Okta Support enables this EA feature
Okta ADFS Plugin - 1.2.0https://.okta.com/static/adfs/OktaADFSAdapter-1.4.0.zip after Okta Support enables this EA feature
Okta People Picker for Sharepoint 2.3.0.0-Downloads page Configuration Instructions
Windows Device Trust - 1.2.0https://.com/static/devicetrust/OktaDeviceRegistrationTaskSetup-1.2.0.msi  after Okta Support enables this EA feature Instructions 

*released after March 30, 2018

The following table shows the minimum required version of the Okta Browser Plugin for supported browsers.

BrowserMinimum GA Version
Chrome5.16.2
Edge5.16.2
Firefox5.15.3
IE 105.11.0
IE 115.11.0
Safari5.11.0
 

The following items are available from the Apple Store or Google Play Store:

  • Okta Mobile for Android:
    • For Android 5.0+ devices, any version of Okta Mobile for Android supports TLS 1.2.

3. Test Your Integrations

API Integrations are interfaces or applications–including mobile apps and desktop clients–that are separate from Okta, but use Okta data. If you have any API Integrations, please ensure that the TLS 1.2 encryption protocols are enabled in those integrations.

Why Okta is Migrating

While the DSS 3.1 allows TLS 1.1 if configured properly, Okta has chosen the safest route. We are migrating all customers to TLS 1.2. 

Okta API and web connections, email delivery, and other components use TLS as a key part of their security. HTTPS (web) and STARTTLS SMTP (email) also use TLS for security.

When Okta deprecates support for the TLS 1.0 and 1.1, you will no longer be able to access any Okta resources using these protocols. Connections, inbound to your Okta org or outbound from it, will fail if they rely on TLS 1.0 or 1.1. 

Understanding TLS

TLS is similar to SSL (Secure Sockets Layer). The latter was developed by Netscape and ensures message integrity while guaranteeing server identity. The Internet Engineering Task Force (IETF) created TLS as the successor to SSL. It's used most often as a setting in email programs, but, like SSL, can be used in any client-server transaction. TLS ensures that a connection to a remote endpoint is the intended endpoint with encryption and endpoint identity verification. 

The PCI Council released version 3.1 of their Data Security Standard (DSS), which states that SSL 3.0 and TLS 1.0 are no longer supported. This is a response to the POODLE exploit in SSL and other security vulnerabilities. (Details are available, among other places, in this Acunetix article.)