The following reconfiguration has been identified as part of the preparation for the upgrade to Okta Identity Engine (OIE).
NOTE: Additional Okta features may require reconfiguration or be disabled to complete the upgrade.
Custom App Login URL
Complexity Level: Low/Consent Required
The purpose of this configuration is to redirect unauthenticated users who attempt to access an Okta-protected application outside of Okta to an alternate/custom login page not available in the Okta-hosted Sign-in Widget. This was introduced several years ago, before Okta Identity Cloud's ability to use vanity URLs and customize the Sign-in with fine-tune branding. It was an easy way to depart from the once-rigid Okta sign-in experience.
In Okta Classic Engine, this is the standard configuration for each SAML application under the "Custom App Login URL" configuration option.
Common reasons for this configuration:
- Ensure the end-user Sign-in experience was branded appropriately.
- The customer needed to orchestrate a custom Sign-in application access flow.
How does this impact the upgrade to OIE?
This no longer "Blocks" an upgrade from executing (if the redirection URL was configured before the release of parity & Feature EOL)
UPDATE: To avoid the friction during the transition to OIE, the default capabilities of this feature are being brought to the OIE configuration in a limited capacity. This does not include the capabilities of the advanced integration for step-up; these would need to adopt the OIE methods. This configuration will only be available to those who had the "Application Sign-in Page" defined in Okta Classic Engine before the upgrade process. This is to ensure the optimal long-term supported solution is used for all new integrations.
Customers can continue to use this feature "as-is"...
- In Classic, if configured before Feature EOL.
- In OIE, if configured at the time of Upgrade.
It functions the same in OIE as in Classic (Redirects to the specified URL if Authentication is needed when reaching Okta Identity Cloud/application).
NOTE: If this is still showing as a blocker, the feature was configured post-parity support. Please contact Okta support to enable the engineering feature [IDX_ALLOW_CUSTOM_APP_LOGIN_URL] to allow the upgrade.
This "Custom App Login URL" functionality has reached End of Life; thus, it will no longer be available in Classic or Identity Engine if it has not been configured before EOL. One of the configuration options below is recommended.
How to remediate this configuration
No configuration changes are required for the upgrade. Consent is needed to ensure the understanding that this capability has been deprecated and is advised to be replaced with an option below.
To align with a better end-user experience, the following implementation methods are being proposed (in order of optimizing user experience, not level of effort to implement):
-
Switch to Okta-hosted Sign-in Experience
-
- Use the branding + application context to display the appropriate look/feel.
- Limited extensibility when using the default (non-vanity domain)
- Unlocks the full capabilities of OIE
-
Switch to an Embedded Okta Sign-in Widget
-
- Maintains control in the source application
- Multiple points of entry/branding/experiences
- Unlocks the full capabilities of OIE
-
Switch to an Embedded Okta SDK
-
- Maintains control in the source application
- Multiple points of entry/branding/experiences
- Unlock most of the capabilities of OIE
-
Overload the IdP plus a routing rule to perform the redirection
-
- Performs the same concept of the App Login Page; however, it allows this to be rules-based (IdP Routing Rules)
- Allows for centralized management/multiple application configurations
- Requires Embedded Sign-in Widget (or SDK) for OIE Capabilities
Is there additional training or information that can help with this remediation?
The following resource is available: Custom app login.
Identify which applications have a Custom App Login URL
This script can be run in the Developer Tools of the browser while logged into the admin console:
(async function () {
console.clear()
console.log("*** Starting Script ***")
url = "/api/v1/apps?limit=200"
apps = []
counter = 1
while (url) {
console.log("Making call " + counter + " to Okta Apps API")
r = await fetch(url)
apps = apps.concat(await r.json())
counter++
url = r.headers.get('link')?.match('<https://[^/]+(/[^>]+)>; rel="next"')?.[1]
}
console.log("Completed getting App Data. Checking for CustomAppURLs")
if (apps.length > 0) {
counter = 0
apps.forEach(app => {
if (app.accessibility.loginRedirectUrl !== null) {
console.log("App '" + app.label + "'[OktaAppId:" + app.id + "] was found to have a CustomAppURL of '" + app.accessibility.loginRedirectUrl + "'")
counter++
}
})
if (counter == 0) {
console.log("No Apps with CustomAppURL were detected")
}
} else {
console.log("No apps were detected in this org. ")
}
console.log("*** Terminating Script ***")
})()
