<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z00007c6xzvCAAOkta Classic EngineDevices and MobilityAnswered2024-06-17T06:32:15.000Z2022-04-27T14:38:59.000Z2022-04-28T18:19:33.000Z

ad4ev (ad4ev) asked a question.

April 27, 2022 at 2:38 PM
Android users unable to add work/school/company account by entering organization URL instead of scanning QR code

We have been finding that with a number of Android devices (different OS versions and models), users are unable to enroll for Okta MFA by entering our organization's custom domain name (i.e. login.ourdomain.org) when they're adding a work/school/company account. This workflow starts when the user is asked "Do you have your QR code?" and they choose "No, sign in instead." Upon entering our custom domain name, the app throws an error saying "Error while establishing a trusted connection with Okta."

 

If they enter the standard *.okta.com domain name we were issued, they do not get the error, and enrollment works. Scanning a QR code works just fine too. Additionally, the method to enter our custom domain name works just fine for iOS devices.

 

Could this be due to the Android instance of the app not trusting the custom SSL cert that is issued to our custom domain name and presented to the device? In performing a packet capture on my Android phone, it is definitely throwing responses to the Okta server saying "bad certificate," but my phone's browser itself trusts the cert (issued by Entrust). Everything in my troubleshooting seems to point to a bug with the Android instance of the app. Has anyone seen this before?

  • 2 answers
  • 1.87K views

  • flaviu.vrinceanu1.5628408972654734E12 (Customer Success Service Delivery)

    Hi @ad4ev (ad4ev)​,

     

    Thank you for posting on the Okta community page!

     

    I have tried to replicate the issue on my end as well, but when I enter the custom domain name to enroll my device into Okta Verify, I am being redirected to my Okta tenant and I can login successfully. I have done some research and couldn't find a similar scenario, but I managed to find out that Android had a security update in which it broke device trust enrolments, therefore maybe the same security update affected the flow you are describing in which you enroll into Okta verify by using the custom domain URL.

     

    You might try to check, if the certificate for those android devices, contains the full chain by comparing a certificate from a device that works with one that receives the error in question, and if not to update the certificate.

     

    I hope the above information is helpful!

    Expand Post

    • ad4ev (ad4ev)

      Thank you for the reply. We're not leveraging any device trust functionality in Okta, and the cert indeed comes with the full chain since multiple browsers on multiple Android phones consider it valid.

      Any chance you could send me your custom domain name, perhaps privately over email, so I can pretend to enroll against that tenant and see what happens? Happy to provide you my email address if that works.
      Expand Post
This question is closed.
Loading
Android users unable to add work/school/company account by entering organization URL instead of scanning QR code