HTTP Public Key Pinning Skip to main content
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
FirstRain SupportFirstRain Support 

HTTP Public Key Pinning

We're starting to look at HTTP Public Key Pinning (certificate pinning).

Does Okta have any recommended tools, libraries or procedures to support Public Key Pinning in the SSO space?
Marian ChirvasaMarian Chirvasa (Okta, Inc.)
Hi. Okta does support Public key pinning for AD agents, LDAP, Browser plugin.

HTTP Public Key Pinning (HPKP) is a security mechanism which allows HTTPS websites to resist impersonation by attackers using mis-issued or otherwise fraudulent certificates. (For example, sometimes attackers can compromise certificate authorities, and then can mis-issue certificates for a web origin.) The HTTPS web server serves a list of public key hashes, and on subsequent connections clients expect that server to use 1 or more of those public keys in its certificate chain.
The first time a user visit a * site, you will be presented with a set of public key pins, one for the  public key bound to the active end-entity certificate, i.e. the primary pin, and the 3 backup public key pins with a max-age expire property. The user's browser will cache the 4 pins for the duration of the max-age expire property. If a rogue site tries MITM a * site and the user, the user's browser will show an error that the public key that was present in the rogue site does not match any of the 4 pins cached in the browser.
If you have further questions, feel free to open a Support case at