Configure Single Sign-On options | Okta (2024)

Table of Contents
About admin roles for this task Before you begin Configure Sign-on options OpenID Connect SAML 2.0, WS-Federation Bookmark-only No Sign On Secure Web Authentication User sets username and password Administrator sets username and password Administrator sets username, user sets password Administrator sets username, password is the same as user's Okta password Users share a single username and password set by administrator See also FAQs References

The options available when setting up or changing the Single Sign-On (SSO) method for an app integration depend on the access protocols supported by the app integration.

About admin roles for this task

The administrator running this task must be a super admin for the Okta org.

App administrators can configure user access to app integrations for which they're responsible.

Before you begin

The admin must be signed in to the Okta Admin Console.

Configure Sign-on options

Whether you're configuring an app integration for the first time or you later need to change these options, the Sign on methods available depend on the access protocols supported by the app integration.

See Also
Was ist Single Sign-On (SSO)?Einmalanmeldung: Alles, was du wissen musstConfigure Single Sign-on for Office 365What Is single sign-on (SSO)?

OpenID Connect

For OpenID Connect (OIDC) app integrations, Okta uses the OAuth 2.0 protocol to exchange user credentials and enable SSO. OIDC app integrations typically have a link to instructions that guide you through the configuration.

SAML 2.0, WS-Federation

If you select one of SAML 2.0 or WS-Federation, Okta applies a federated approach to user authentication. App integrations configured using these methods typically have a link to instructions that guide you through the configuration.

For SAML applications, the Metadata details section includes data that your application integration may require. This can include Metadata URL, Sign on URL, and so on. See the linked instructions (View Setup Instructions) for details.

Bookmark-only

The Bookmark-only sign-in option is the simplest mode supported for an app integration. When the end user launches the app integration, Okta opens the sign-in page for the external application, but doesn't perform SSO. No username or password information is passed to the external application, so no configuration is required.

No Sign On

The No Sign On sign-in option is available when adding or configuring mobile apps or applications that don't require any sign-in information.

Secure Web Authentication

For the Secure Web Authentication (SWA) sign-in option, Okta signs in to the external application for each user. Selecting this method doesn't prevent users from signing in to the external application directly. You can set up your app integration with any of the following SWA sign-in configurations:

See Also
Single Sign On to SAP Cloud Integration (CPI runtime) from an external Identity Provider

  • User sets username and password
  • Administrator sets username and password
  • Administrator sets username, user sets password
  • Administrator sets username, password is the same as user's Okta password
  • Users share a single username and password set by administrator

User sets username and password

This option allows your users to choose their usernames and passwords.

Note the following about this option:

  • If users are unassigned from the app integration and then later reassigned, they must reenter their usernames and passwords. Users can be unassigned from an app integration in the following ways:
    • The user is deactivated in Okta.
    • The user is removed from a group assigned to the app integration.
    • The user no longer appears in imports after being deactivated in the external application.
    • The organizational unit (OU) that contains the user is deselected.

Administrator sets username and password

This option provides the most robust level of admin control. It allows the admin to set all usernames and passwords for an app integration, after which the credentials are never shared with the end users. This option provides a way to shut off user access to the credentials of sensitive applications. You must ensure that the user doesn't have an alternative way to reset their password for the external application. It's also helpful in cases where admins must supply a new, obfuscated password to an Okta user, as no active communication with the user is required.

To set the usernames and passwords for a particular SWA app integration, do the following:

  1. Outside of Okta, access the external application you want to assign.
  2. Establish the usernames and passwords within the application.
  3. Return to Okta and access or create the app integration in the OIN.
  4. Choose the Sign On tab (or step) for the app integration.
  5. Choose Administrator sets username and password, and then click Next.
  6. Assign the app integration to users and then assign their usernames and passwords.

Note the following about this option:

  • The admin-created password can only be viewed when initially created. After setting the password, it's no longer visible to the admin. To change the password, first reset it in the external application, and then reset it in Okta.
  • If the chosen app integration was previously assigned to an established Okta group and then is modified to support this sign-on method, the admin needs to manually update the usernames and passwords for each group member.
  • The Password reveal feature is disabled when this option is selected because end users don't have access to their passwords.

Administrator sets username, user sets password

This option allows the admin to set up the external application accounts on behalf of your users, while still allowing users to set and change their application password (which is separate from their Okta password).

  1. Outside of Okta, access the external application you want to assign.
  2. Establish the username for each user within the application.
  3. Return to Okta and access or create the app integration in the OIN.
  4. Choose the Sign On tab (or step) for the app integration.
  5. Choose Administrator sets username, user sets password, and then click Next.
  6. Assign the app integration to users.

Administrator sets username, password is the same as user's Okta password

This option allows the admin to set up the external application accounts on behalf of your users and use their existing Okta passwords. For this to work, the admin needs to add the user accounts in the external application and then associate the usernames through provisioning integration with Okta. After you configure this option, end users can access the app integration without being prompted for a username or password.

  1. Outside of Okta, access the external application you want to assign.
  2. Establish the username and password for each user within the application.
  3. Return to Okta and access or create the app integration in the OIN.
  4. Choose the Sign On tab (or step) for the app integration.
  5. Choose Administrator sets username, password is the same as user's Okta password, and then click Next.
  6. Assign the app integration to users.

Users share a single username and password set by administrator

Select this option if you share a single application license or a single application account with multiple people in your organization.

To set the shared credentials for a shared application, do the following:

  1. Outside of Okta, access the external application you want to assign.
  2. Establish the username and password within the application.
  3. Return to Okta and access or create the app integration in the OIN.
  4. Choose the Sign On tab (or step) for the app integration.
  5. Choose Users share a single username and password set by the administrator, and then click Next.
  6. Assign the app integration to users.

You can enable the Password reveal feature when this option is selected, but it only allows admins to see the shared password. End users can't reveal shared passwords.

See also

Add existing app integrations

Create custom app integrations

Configure settings for app integrations

Configure Single Sign-On options | Okta (2024)

FAQs

What is single sign on configuration? ›

Single sign-on (SSO) is an identification method that enables users to log in to multiple applications and websites with one set of credentials. SSO streamlines the authentication process for users.

Learn More Now
How to configure SSO in Okta? ›

Set up SSO with Okta
  1. Create SSO Name and ACS URL in Contentstack.
  2. Configure Contentstack App in Okta.
  3. Configure Okta details in Contentstack.
  4. Manage users access control in Okta. Add application to users. Add application to user groups for IdP Role Mapping.
  5. Create Role Mappings in Contentstack.
  6. Test and Enable SSO.

Show Me More
How do I set up single sign on SSO for SAML applications? ›

Create an application and set up SAML SSO

Enter the display name for your new application, select Integrate any other application you don't find in the gallery, then select Create. On the app's Overview page, select Single sign-on. Select SAML as the single sign-on method.

View Details
What is the difference between SSO and Okta? ›

For applications that support federated SSO through SAML, OIDC, or any other proprietary authentication protocol, Okta establishes a secure connection with a user's browser and then authenticates the user. With SSO, a central domain performs authentication and then shares the session with other domains.

Learn More Now
What are the SSO integration options for Okta? ›

The four main SSO protocols supported by Okta:
  • OpenID Connect (OIDC). See OIDC app integrations.
  • Security Authentication Markup Language (SAML). See SAML app integrations.
  • Secure Web Authentication (SWA). See SWA app integrations.
  • WS-Federation (WS-Fed). See WS-Fed app integrations.

Keep Reading
How to configure SSO in Active Directory? ›

Initial AD FS SSO Configuration
  1. Open Microsoft Server Manager and click the notification icon.
  2. Click the “Configure the federation service on this server” link.
  3. Select the “Create the first federation server in a federation server farm” option and click Next.
  4. Specify a domain admin account for AD FS configuration.

Know More
How to solve SSO issues? ›

General troubleshooting
  1. In your IdP: Confirm that your Org ID, Entity ID, and ACS URL are all correct. Review the SAML attribute statements that you've entered. Regenerate the SAML metadata and replace it in Iterable.
  2. In Iterable: Check the SAML Domain field. Learn how. Replace the SAML metadata from your IdP.

Read On
Is SSO mandatory? ›

Single Sign-On (SSO) authentication is now required more than ever. Nowadays, almost every website requires some form of authentication to access its features and content. With the number of websites and services rising, a centralized login system has become a necessity.

Get More Info Here
What is SSO activation? ›

Single sign-on (SSO) is an authentication method that enables users to securely authenticate with multiple applications and websites by using just one set of credentials.

Get More Info Here
What is the difference between SAML and SSO? ›

SAML (Security Assertion Markup Language) is merely one security protocol used for exchanging authentication and authorization data. In contrast, SSO is a broader term for a type of authentication process that enables users to access multiple services with a single login, of which SAML can be a facilitating component.

View Details

What is the difference between SSO and OAuth? ›

In summary, SSO is used for authenticating users, while OAuth is used for granting access to resources. OAuth can be used as part of an SSO solution, but it is not a replacement for SSO.

Discover More
How do I fix single sign-on error? ›

Check the clock on your Identity Provider's server. This error is almost always caused by the Identity Provider's clock being incorrect, which adds incorrect timestamps to the SAML Response. Resync the Identity Provider server clock with a reliable internet time server.

Learn More Now
What is the difference between Active Directory and SSO? ›

With SSO, a user logs in once, and gains access to all systems without being prompted to log in again at each of them. Active Directory (AD) is a directory service that provides a central location for network administration and security.

Read More
What is single sign-on Active Directory? ›

Single sign-on (SSO) solutions allow users to login to multiple applications with just one set of credentials, eliminating the hassle and risk of managing different combinations of usernames and passwords. To enable single sign-on with Active Directory, you'll need to use ADFS or a third-party tool.

Show Me More
What is the difference between same sign-on and single sign-on? ›

Single sign-on systems require a one-time authentication from the user. Once logged in, the user can access other web applications and services without re-authenticating themselves. Meanwhile, same sign-on requires the user to repeat the login process each time with the same authentication credentials.

Learn More Now

References

Top Articles
Madison Beer Bio, Height, Boyfriend, Age, Family, Net Worth, Facts
Dr Ramin Azarbaijani Cardiology
Busted Newspaper New Hanover County
san diego musical instruments "guitar amps" - craigslist
Tazewell Commitment Report
0Gomovies Online
Page 1824 – Epic Dope
Page 1827 – Epic Dope
Latest Posts
Artist to Watch: UK's Charlotte Clark Astonishes with Debut Single "Disarray" - Atwood Magazine
IT'S GOOD TO TALK, AND LISTEN TO CHARLOTTE CLARK
Article information

Author: Greg Kuvalis

Last Updated:

Views: 5742

Rating: 4.4 / 5 (75 voted)

Reviews: 90% of readers found this page helpful

Author information

Name: Greg Kuvalis

Birthday: 1996-12-20

Address: 53157 Trantow Inlet, Townemouth, FL 92564-0267

Phone: +68218650356656

Job: IT Representative

Hobby: Knitting, Amateur radio, Skiing, Running, Mountain biking, Slacklining, Electronics

Introduction: My name is Greg Kuvalis, I am a witty, spotless, beautiful, charming, delightful, thankful, beautiful person who loves writing and wants to share my knowledge and understanding with you.