Overview
Okta does not support Transport Layer Security (TLS) 1.0 or 1.1 protocols due to known security vulnerabilities. TLS 1.2 is required for all connections.
This may impact Okta functionality if any of the following are true:
- You or your users use old versions of browsers.
- You use old Okta agents.
- You, your developers, or integrators have connections to the Okta API (integrations) that are made from software that does not support TLS 1.2.
Verify your Environment
To ensure that the environment supports TLS 1.2, please perform the following:
Test Your Browser
-
Confirm you already have a supported browser, as listed below.
-
Ask all users to use a supported browser and upgrade to the latest mobile OS.
-
Check caniuse.com to ensure you're using a browser that supports TLS 1.2, and verify that you've enabled TLS 1.2 in the browser.
Supported Browsers for Windows Operating Systems
| Browser | Version | Platforms (If Applicable) | Notes |
|---|---|---|---|
| Note: For details about Okta browsers and TLS support, see here. | |||
| Google Chrome | 30+ | ||
| Mozilla Firefox | 27+ | ||
| ESR 31+ | |||
| Microsoft Edge | All | Windows 10 | |
| Apple Safari | 7+ | OS X 10.9 + | |
| Apple Safari (Mobile) | iOS 5+ |
Update Okta Components
Use the following list (for Okta agents running on Windows servers) to verify that you have updated all the Okta components that you use, and to find new versions if you need to update.
The following table shows the minimum versions of Okta components required to support TLS 1.2. GA versions of agents are available by navigating to the Settings > Downloads page in your Okta organization. Some EA versions are only available from the links provided here. If additional instructions are available, links are provided below.
| Agent Name | Minimum GA Version | Minimum EA Version |
|---|---|---|
| Okta RADIUS Agent* | 2.7.1 | |
| Okta On-Prem MFA Agent (including RSA SecurID) * | 1.3.4 | 1.3.6 |
| Okta SSO Integrated Windows Authentication Web Application* | 1.10.4 | 1.11.4 |
| On-Premise Provisioning Agent | 1.2.2 | - |
| AD Password Sync* | 1.3.5 | - |
| LDAP Agent | 5.4.2 | 5.4.5 |
| AD Agent | 3.4.10 | 3.4.11 |
| Okta Windows Credential Provider* | - | 1.1.2 |
| Okta ADFS Plugin | - | 1.2.0 |
| Okta People Picker for Sharepoint | 2.3.0.0 | - |
| Windows Device Trust | - | 1.2.0 |
*released after March 30, 2018
The following table shows the minimum required version of the Okta Browser Plugin for supported browsers.
| Browser | Minimum GA Version |
|---|---|
| Chrome | 5.16.2 |
| Edge | 5.16.2 |
| Firefox | 5.15.3 |
| Safari | 5.11.0 |
The following items are available from the Apple Store or Google Play Store:
-
Okta Verify for Android:
-
For Android 5.0+ devices, any version of Okta Verify for Android supports TLS 1.2.
-
-
Okta Mobile for Android:
-
For Android 5.0+ devices, any version of Okta Mobile for Android supports TLS 1.2.
-
Update your Firewall Allowlist
Please consult our Configure Firewall Allowlist page to ensure that your firewall allowlist has been updated to include our most recent allowlist additions.
Test Your Integrations
API Integrations are interfaces or applications–including mobile apps and desktop clients–that are separate from Okta, but use Okta data. If you have any API Integrations, please ensure that the TLS 1.2 encryption protocols are enabled in those integrations.
Understanding TLS
TLS is similar to SSL (Secure Sockets Layer). The latter was developed by Netscape and ensures message integrity while guaranteeing server identity. The Internet Engineering Task Force (IETF) created TLS as the successor to SSL. It is used most often as a setting in email programs, but, like SSL, can be used in any client-server transaction. TLS ensures that a connection to a remote endpoint is the intended endpoint with encryption and endpoint identity verification.
The PCI Council released version 3.1 of their Data Security Standard (DSS), which states that SSL 3.0 and TLS 1.0 are no longer supported. This is a response to the POODLE exploit in SSL and other security vulnerabilities. (Details are available, among other places, in this Acunetix article.)
