Using the App Integration Wizard
If the application that you want to add does not already exist in the Okta Applications Network, create it with the App Integration Wizard (AIW). The AIW allows you to create custom SWA, SAML 2.0, and OpenID Connect (OIDC) apps with immediate functionality. Once you create an app, you can assign it to users.
Launching the Wizard
A SWA integration provides single sign-on for apps that don't support proprietary federated sign-on methods; it works with any web-based app. If you choose to use a SWA integration, step through the AIW to create the app.
If your SWA app integration is successful, the following happens when end-users click the app chiclet:
If either of these conditions are not satisfied, or if the app does not behave as expected, contact Okta support at firstname.lastname@example.org for assistance.
A SAML integration provides Federated Authentication standards that allow end users one-click access to the app. The following fields generate the XML needed for the app's SAML request. If you choose to use a SAML 2.0 integration, step through the AIW to create the app.
Note: To prevent errors in your SAML integrations, ensure that Okta is whitelisted for 3rd-party cookies in your browser! See here for detailed instructions.
Note the following about SAML integration:
The SAML app wizard has three main sections:
① General Settings
② Configure SAML
A SAML 2.0 configuration requires a combination of information from your org and the target app. For help completing each field, use your app-specific documentation and the Okta tool tips.
Click the Preview the SAML Assertion button to view the generated XML derived from the Configure SAML section of the SAML app wizard.
The feedback you provide helps Okta Support understand how you configured this application.
Are you a customer or partner? – Different options display depending on your selection.
Customer – For customers who are adding an external app:
Software vendor – For software vendors who are integrating their app with Okta:
OpenID Connect is an identity layer on top of the OAuth 2.0 protocol. It verifies end-user identity and obtains profile information. For detailed information about OpenID Connect, see Welcome to OpenID Connect.
This is an Early Access feature. To enable it, please contact Okta Support.
A consent represents a user’s explicit permission to allow an application to access resources protected by scopes. As part of an OAuth 2.0 or OpenID Connect authentication flow, you can prompt the user with a popup or window to approve your app's access to specified resources. You can set up user consent as part of creating the app. Consent grants are different from tokens because a consent can outlast a token, and there can be multiple tokens with varying sets of scopes derived from a single consent. When an application comes back and needs to get a new access token, it may not need to prompt the user for consent if they have already consented to the specified scopes. Consent grants remain valid until the user manually revokes them, or until the user, application, authorization server or scope is deactivated or deleted, User consent requires that you org has the API Access Management feature enabled.
Before you begin
You need four pieces of information before you begin setting up an OIDC app in Okta.
Set the Groups Claim Filter
To identify the groups claim filter, go to the Sign On tab and view the OpenID Connect ID Token section.
If the value you specify in Groups claim matches more than 100 groups, an error occurs when the API tries to create ID tokens. This limit is likely to change in the future. Most apps won't change the setting in Token Credentials, which displays along with the OpenID Connect ID Token dialog.