SWA - How to prevent users from changing password once logged in

Loading

Skip to Navigation Skip to Main Content

Search

Search

Select Language

0D54z00009a1OksCAEOkta Classic EngineIntegrationsAnswered2024-04-17T10:31:42.000Z2023-08-29T15:42:35.000Z2023-10-18T15:55:09.000Z

y6cyi (y6cyi) asked a question.

August 29, 2023 at 3:42 PM

SWA - How to prevent users from changing password once logged in

Hello, I'm a beginner to this so please bare with me. I set up a SWA for Eventbrite and have it automatically logging in (after I manually created the account, no SCIM provisioning yet). My goal is to make these accounts fully managed. I know I can import the users I need, set up their password so they can't log in to the application directly and enable multi-factor, although, I don't understand what is stopping them from changing their passwords once logged in to the platform and then bypassing MFA or detections we might have in place?

Thank you.

Integrations

Top Rated Answers

Mihai Negoita - Okta (Okta, Inc.)
3 years ago
Hi @y6cyi (y6cyi) , Thank you for reaching out to the Okta Community!

Short Answer: Nothing is preventing end-users from changing passwords and bypassing MFA if the Application(service provider) side does not, when using SWA.

Long Answer:
SWA works similarly to a password vault in the sense that it offers a more secure and convenient way to access company managed applications that do not support federated protocols (SAML, WS-FED, OIDC), by leveraging the Okta Browser Plugin to securely inject user credentials and initialize the login.
When using just SWA, Okta does not manage any other aspects of the interaction with the app.
More details here:
https://support.okta.com/help/s/article/What-is-Secure-Web-Authentication-SWA

https://help.okta.com/en-us/Content/Topics/Apps/apps-about-swa.htm

https://help.okta.com/en-us/Content/Topics/Browser-Plugin/browser-plugin-main.htm

The current version of the Eventbrite application from the Okta Integration Network catalog is not currently listed as having any federated authentication capabilities. If they do support other authentication methods, it is up to the Service Provider to update the app by leveraging the https://oinmanager.okta.com/ site.

That being said, if you know they do support other methods and you have the appropriate administrative access on that side, you do not have to use the app listed in the catalog or wait for them to update the app.
You can go ahead and implement SSO by leveraging one of the appropriate Template apps from the Okta side using the Application Integration Wizard:
SAML: https://help.okta.com/en-us/Content/Topics/Apps/Apps_App_Integration_Wizard_SAML.htm
OIDC: https://help.okta.com/en-us/Content/Topics/Apps/Apps_App_Integration_Wizard_OIDC.htm

If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you.

Hope my answer helps!
--------------------------------
💡 Community Moderator Tip: Join a group today and connect with other Okta customers by region or product.
Expand Post
Selected as Best

All Answers

Mihai Negoita - Okta (Okta, Inc.)
3 years ago
Hi @y6cyi (y6cyi) , Thank you for reaching out to the Okta Community!

Short Answer: Nothing is preventing end-users from changing passwords and bypassing MFA if the Application(service provider) side does not, when using SWA.

Long Answer:
SWA works similarly to a password vault in the sense that it offers a more secure and convenient way to access company managed applications that do not support federated protocols (SAML, WS-FED, OIDC), by leveraging the Okta Browser Plugin to securely inject user credentials and initialize the login.
When using just SWA, Okta does not manage any other aspects of the interaction with the app.
More details here:
https://support.okta.com/help/s/article/What-is-Secure-Web-Authentication-SWA

https://help.okta.com/en-us/Content/Topics/Apps/apps-about-swa.htm

https://help.okta.com/en-us/Content/Topics/Browser-Plugin/browser-plugin-main.htm

The current version of the Eventbrite application from the Okta Integration Network catalog is not currently listed as having any federated authentication capabilities. If they do support other authentication methods, it is up to the Service Provider to update the app by leveraging the https://oinmanager.okta.com/ site.

That being said, if you know they do support other methods and you have the appropriate administrative access on that side, you do not have to use the app listed in the catalog or wait for them to update the app.
You can go ahead and implement SSO by leveraging one of the appropriate Template apps from the Okta side using the Application Integration Wizard:
SAML: https://help.okta.com/en-us/Content/Topics/Apps/Apps_App_Integration_Wizard_SAML.htm
OIDC: https://help.okta.com/en-us/Content/Topics/Apps/Apps_App_Integration_Wizard_OIDC.htm

If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you.

Hope my answer helps!
--------------------------------
💡 Community Moderator Tip: Join a group today and connect with other Okta customers by region or product.
Expand Post
Selected as Best

This question is closed.

Recommended content

Forum

Prevent Users Logging in to SWA Apps directly (outside of Okta)

Forum

Prevent certain users from logging in

Forum

How can we end all other logged in application once okta user logs out

Forum

How to use Mac TouchID to log in Okta from the Arc Browser

Loading

SWA - How to prevent users from changing password once logged in