This article clarifies why the Bill.com Okta Integration Network (OIN) application is not automatically injecting users' credentials and why the Secure Web Authentication (SWA) Single Sign On (SSO) option can no longer be used for this application.

• Okta Integration Network (OIN)
• Secure Web Authentication (SWA)

Bill.com recently changed its login page, affecting the integration between Okta's Bill.com OIN app and the application's webpage. The Username and Password fields, along with the login button, are now encapsulated in a shadow root Document Object Model (DOM) element, making them inaccessible to the Okta Browser Plugin.

Web pages normally have a single, main DOM that organizes all the elements on the page. Browser extensions like the Okta plugin interact with this standard DOM to find CSS selectors and automatically fill in fields like usernames and passwords, or interact with buttons and checkboxes.

However, a shadow DOM allows a webpage to encapsulate the elements on the page. This means the elements inside a shadow DOM are hidden from the main DOM and are isolated. The Okta plugin, designed to interact with the standard DOM, cannot locate and access the username and password fields when they are placed inside this encapsulated shadow DOM. This directly affects the plugin's ability to identify and interact with those specific input fields.

All SWA applications rely on the Okta Browser Plugin to locate the login input fields on the webpage and autofill credentials. Since shadow root DOM directly disrupts this particular ability of the plugin, SWA is no longer a viable solution for this app. 

As SWA can no longer be used with Bill.com, it is recommended to implement a more secure SSO standard like SAML 2.0 or OpenID Connect (OIDC) 2.0.