<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Understanding IP Changes for Custom and Default Domains in Okta
Apr 9, 2025
Okta Classic Engine
Okta Identity Engine
Administration
Overview

This article explains why Okta may change the physical IP addresses associated with the custom or default domains and the security implications of these changes. It also clarifies the actions required by administrators when these changes occur.

Applies To
  • Custom domains
  • Default domains
Solution

A domain name, or custom Okta domain, is a memorable way to access the organization. It is associated with a physical IP address linked to a server and database. Okta may occasionally change this physical IP address associated with the custom or default domain for security reasons.


Default domains can be susceptible to unauthorized login attempts simply because anyone can input the URL in the format of https://CompanyName.OKTA.com. While unauthorized users will not be able to pass authentication, these attempts will still generate notifications in the logs. If user account information is leaked, there may be login attempts in their names which could result in account lockouts based on the sign-in policies.


Custom domains offer an advanced security method by hiding the default domain. Applications may not be accessible anymore if a valid session was not initiated at the custom domain, provided the applications were configured for the custom domain. If the custom domain and its IP address were leaked, unauthorized users or bots might still attempt to break in.


Changing the core IP address for all the domains, be they custom or default, is a vital security measure. This change poses no risk to the organization and requires no action. It is merely a notification for our customers to keep them informed.


If the organization is using a firewall or VPN and allowlisting Okta IPs for inbound communication, the following steps are necessary:

  1. Review the new list of Okta IPs entering production.
  2. Update firewall or VPN settings to include the new IPs in the allowlist.
  3. Monitor to ensure that there are no disruptions due to these changes.


These steps will ensure that the inbound communication from Okta is not blocked by the organization's firewall or VPN.

Recommended content

Still looking for help?
Loading
Understanding IP Changes for Custom and Default Domains in Okta