Secure Web Authentication (SWA) templates fail to inject credentials into the login form or interact with the sign-in button when the login page utilizes a shadow root Document Object Model (DOM). This occurs because the Okta Browser Plugin cannot access elements that a shadow DOM encapsulates. To resolve this limitation, implement a more secure Single Sign-On (SSO) standard, such as Security Assertion Markup Language (SAML) 2.0 or OpenID Connect (OIDC), or configure a Bookmark App for manual login.
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Secure Web Authentication (SWA)
- Okta Browser Plugin
Web pages normally have a single, main DOM that organizes all the elements on the page. Browser extensions like the Okta Browser Plugin interact with this standard DOM to find Cascading Style Sheets (CSS) selectors and automatically fill in fields like usernames and passwords, or interact with buttons and checkboxes.
However, a shadow DOM allows a webpage to encapsulate the elements on the page. This encapsulation hides the elements inside a shadow DOM from the main DOM and isolates them. The Okta Browser Plugin, designed to interact with the standard DOM, cannot locate and access the fields when the webpage places them inside this encapsulated shadow DOM. This directly affects the plugin's ability to identify and interact with those specific input fields.
All SWA applications rely on the Okta Browser Plugin to locate the login input fields on the webpage and autofill credentials. Since a shadow root DOM directly disrupts this particular ability of the plugin, SWA is not a viable solution.
What are the alternatives when SWA fails due to a shadow root DOM?
Since SWA does not function with a shadow root DOM, implement one of the following alternative solutions:
- Implement a more secure Single Sign-On (SSO) standard, such as SAML 2.0 or OIDC.
- Configure the application as a Bookmark App, allowing users to access the login page directly and manually enter credentials.
