okta · thomascavanagh-okta · May 17, 2026 · May 15, 2026 · May 15, 2026 · May 15, 2026
@@ -4626,47 +4626,57 @@ redirects:
   - from: /docs/guides/style-the-widget/next-steps/index.html
     to: /docs/guides/custom-widget/main/#see-also
   - from: /docs/guides/oin-oidc-guide/overview
-    to: /docs/guides/oin-sso-overview/
+    to: /docs/concepts/sso-overview/
   - from: /docs/guides/oin-oidc-guide/background
-    to: /docs/guides/oin-sso-overview/
+    to: /docs/concepts/sso-overview/
   - from: /docs/guides/oin-oidc-guide/protocol-level-requirements
     to: /docs/guides/build-sso-integration/openidconnect/main/#build-your-integration
   - from: /docs/guides/oin-oidc-guide/multi-tenancy
-    to: /docs/guides/oin-sso-overview/#okta-organization-and-multi-tenancy
+    to: /docs/concepts/multi-tenancy/#sso-app-integrations-and-multi-tenancy
   - from: /docs/guides/oin-oidc-guide/integration-best-practices
-    to: /docs/guides/oin-sso-overview/
+    to: /docs/concepts/sso-overview/
   - from: /docs/guides/oin-oidc-guide/next-steps
-    to: /docs/guides/oin-sso-overview/#next-steps
+    to: /docs/concepts/sso-overview/
   - from: /docs/guides/oin-oidc-guide/overview/index.html
-    to: /docs/guides/oin-sso-overview/
+    to: /docs/concepts/sso-overview/
   - from: /docs/guides/oin-oidc-guide/background/index.html
-    to: /docs/guides/oin-sso-overview/
+    to: /docs/concepts/sso-overview/
   - from: /docs/guides/oin-oidc-guide/protocol-level-requirements/index.html
     to: /docs/guides/build-sso-integration/openidconnect/main/
   - from: /docs/guides/oin-oidc-guide/multi-tenancy/index.html
-    to: /docs/guides/oin-sso-overview/#okta-organization-and-multi-tenancy
+    to: /docs/concepts/multi-tenancy/#sso-app-integrations-and-multi-tenancy
   - from: /docs/guides/oin-oidc-guide/integration-best-practices/index.html
-    to: /docs/guides/oin-sso-overview/
+    to: /docs/concepts/sso-overview/
   - from: /docs/guides/oin-oidc-guide/next-steps/index.html
-    to: /docs/guides/oin-sso-overview/#next-steps
+    to: /docs/concepts/sso-overview/
   - from: /docs/guides/oin-oidc-best-practices/main
-    to: /docs/guides/oin-sso-overview/
+    to: /docs/concepts/sso-overview/
   - from: /docs/guides/oin-oidc-best-practices/main/index.html
-    to: /docs/guides/oin-sso-overview/
+    to: /docs/concepts/sso-overview/
   - from: /docs/guides/oin-oidc-best-practices/main/#rate-restrictions
     to: /docs/guides/build-sso-integration/openidconnect/main/#rate-limit-considerations
   - from: /docs/guides/oin-oidc-multi-tenancy/main
-    to: /docs/guides/oin-sso-overview/#okta-organization-and-multi-tenancy
+    to: /docs/concepts/multi-tenancy/#sso-app-integrations-and-multi-tenancy
   - from: /docs/guides/oin-oidc-multi-tenancy/main/index.html
-    to: /docs/guides/oin-sso-overview/#okta-organization-and-multi-tenancy
+    to: /docs/concepts/multi-tenancy/#sso-app-integrations-and-multi-tenancy
   - from: /docs/guides/oin-oidc-protocols/main
     to: /docs/guides/build-sso-integration/openidconnect/main/
   - from: /docs/guides/oin-oidc-protocols/main/index.html
     to: /docs/guides/build-sso-integration/openidconnect/main/
   - from: /docs/guides/oin-oidc-overview/main
-    to: /docs/guides/oin-sso-overview/
+    to: /docs/concepts/sso-overview/
   - from: /docs/guides/oin-oidc-overview/main/index.html
-    to: /docs/guides/oin-sso-overview/
+    to: /docs/concepts/sso-overview/
+  - from: /docs/guides/oin-sso-overview/
+    to: /docs/concepts/sso-overview/
+  - from: /docs/guides/oin-sso-overview/index.html
+    to: /docs/concepts/sso-overview/
+  - from: /docs/guides/oin-sso-overview/#choose-your-sso-protocol
+    to: /docs/concepts/sso-overview/#choose-your-sso-protocol
+  - from: /docs/guides/oin-sso-overview/#okta-organization-and-multi-tenancy
+    to: /docs/concepts/multi-tenancy/#sso-app-integrations-and-multi-tenancy
+  - from: /docs/guides/oin-sso-overview/#tenants-in-okta
+    to: /docs/concepts/multi-tenancy/#tenants-in-okta
   - from: /docs/guides/third-party-risk-integration/overview
     to: /docs/guides/third-party-risk-integration/
   - from: /docs/guides/third-party-risk-integration/overview/index.html

@@ -42,6 +42,20 @@ different types of data is shown below:
 
 </div>
 
+### Tenants in Okta
+
+In Okta, a tenant is represented as an Okta org. Each org is an isolated container that manages its own users, groups, and apps independently. Identity in Okta is scoped to the org, not globally unique across all of Okta.
+
+As an example, the same email address can exist as separate users in multiple orgs. For example, `alice.doe@example.com` can be a registered user in both `https://company1.okta.com` and `https://company2.okta.com` with different profile data in each. When building an app that serves multiple tenants, track which org authenticated a given user. You can't assume that profile data is consistent across orgs.
+
+Okta orgs host their interfaces through individual subdomains and each org is assigned a separate URL. The typical org URL is the tenant name (the subdomain) followed by the domain name. However, you can customize the domain name for your own domain and add individual aliases for each of your tenants.
+
+## SSO app integrations and multi-tenancy
+
+SSO app integrations are multi-tenant by design. Each customer (the organization deploying the SSO app) operates through a separate Okta org, and each org is a distinct tenant. The org serves as the identity provider (IdP) for that customer's users. For OpenID Connect (OIDC) integrations, the org acts as the authorization server. For SAML integrations, the org acts as the IdP.
+
+Because each org manages its own users, policies, and application access independently, a single app integration can serve multiple customers without their data or configurations affecting one another.
+
 ## Why would you want more than one tenant
 
 An organization can create a tenant for various reasons. For example
@@ -107,7 +121,7 @@ platform is ultimately decided by the customer. Okta offers four main
 configurations for multi-tenancy. They are:
 
 * [Configuration 1: Host tenants in a single org using Universal Directory (UD)](#configuration-1)
-* [Configuration 2: Host tenants in separate orgs (for example, hub-and-spoke](#configuration-2)
+* [Configuration 2: Host tenants in separate orgs (for example, hub-and-spoke)](#configuration-2)
 * [Configuration 3: Mixed. Host tenants in both single and separate orgs](#configuration-3)
 * [Configuration 4: Host tenants in a single org not using UD](#configuration-4)
 

@@ -28,7 +28,7 @@ When you implement SSO, you let a central IdP handle authentication for you. SSO
 
 ## How Okta supports SSO
 
-Okta is a cloud-based identity and access management (IAM) platform that acts as the centralized IdP for your users. Okta provides SSO integrations for thousands of cloud, on-premises, and mobile apps. The platform uses standard protocols such as OIDC, SAML, and SWA to maintain these integrations. 
+Okta is a cloud-based identity and access management (IAM) platform that acts as the centralized IdP for your users. Okta provides SSO integrations for thousands of cloud, on-premises, and mobile apps. The platform uses standard protocols such as OIDC, SAML, and SWA to maintain these integrations.
 Okta also handles user verification, multifactor authentication (MFA), and lifecycle management, providing a robust and secure foundation for your app.
 
 A user's SSO experience with Okta can happen in a few different ways:
@@ -41,6 +41,18 @@ A user's SSO experience with Okta can happen in a few different ways:
 
 In these scenarios, the user only has to remember a single credential, which is managed securely by Okta.
 
+## Choose your SSO protocol
+
+Okta supports two protocols for handling federated SSO: OpenID Connect (OIDC) and Security Assertion Markup Language (SAML). The SSO protocol that you choose to implement your app integration with is based on your app and use case. For new app integrations, OIDC is recommended.
+
+| &nbsp; |  <span style="width: 24px;display:inline-block">![OIDC](/img/idp-logos/oidc.png)</span> OIDC | <span style="width: 22px;display:inline-block">![SAML](/img/idp-logos/saml.png)</span> SAML  |
+| ------ | :------------------- | :----------------------- |
+| **Description** | [OpenID Connect](/docs/concepts/oauth-openid/#openid-connect) extends OAuth 2.0 to provide an ID token that can be used to verify a user’s identity and sign them in to a cloud-based app. It's quickly becoming the new standard for SSO. | [Security Assertion Markup Language (SAML)](/docs/concepts/saml) is a traditional enterprise protocol for SSO in web apps. Okta supports SAML 2.0. |
+| **Benefits** | <ul><li>A newer protocol with widespread and growing use</li> <li>Best Okta customer configuration experience</li> <li>Ideal for mobile and cloud apps</li> </ul> | <ul><li>Many people are familiar with SAML because it's an older protocol</li> <li>Widely used federation protocol for SSO in web apps</li> <li>Many SaaS providers support SAML integration to grant SSO access to end users</li></ul>|
+| **Technology** | <ul><li>An identity layer on top of the [OAuth 2.0](https://oauth.net/2/) protocol</li> <li>Verifies end user identity and obtains profile information</li> <li>Lightweight and REST-based</li></ul> |   <ul><li>XML-based messages</li> <li>The specification doesn’t have user consent, although it can be built into the flow</li> </ul> |
+| **Resources** | <ul><li>[OpenID Connect Foundation](https://openid.net/connect/)</li></ul>| <ul><li>[SAML 2.0 Technical Overview](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html) </li></ul> |
+| **Get started** | <ul><li>[Build an Okta SSO integration with OIDC](/docs/guides/build-sso-integration/openidconnect/main/)  </li></ul>| <ul><li>[Build an Okta SSO integration with SAML](/docs/guides/build-sso-integration/saml2/main/) </li></ul> |
+
 ## SSO, Single Logout (SLO), and Universal Login
 
 With SSO in Okta, a user authenticates once with Okta (the IdP) and can seamlessly access multiple apps, using federation protocols like SAML, OIDC, or WS-Fed. [Single Logout (SLO)](/docs/guides/single-logout/saml2/main/) extends this by allowing a sign-out action from one app to propagate back to the IdP and, in turn, notify other connected apps to terminate their sessions. However, as SLO relies on each app’s protocol support, the sign-out experience can be inconsistent.
@@ -51,5 +63,4 @@ Universal Logout addresses these inconsistencies by creating a more reliable, ce
 
 The Okta Integration Network (OIN) is a catalog of pre-built integrations with thousands of apps. You can easily integrate Okta SSO to apps with a guided experience that still supports the most secure configuration options.
 
-For information on SSO integrations in the Okta Integration Network (OIN), see [Overview of Single Sign-On in the OIN](https://developer.okta.com/docs/guides/oin-sso-overview/).
-
+For information on SSO integrations in the Okta Integration Network (OIN), see [Publish an OIN integration](/docs/guides/submit-app-overview/).
@@ -24,7 +24,7 @@ Create and test an SSO app integration for OIN submission.
 
 ## Overview
 
-Single Sign-On (SSO) is an authentication method that enables end users to sign in to multiple applications (apps) with one set of credentials. If you have customers that use Okta as an Identity Provider, you want to publish your SSO app integration to the OIN. By having your integration in the OIN catalog, your customers can easily configure SSO for your app. See [Overview of Single Sign-On in the OIN](/docs/guides/oin-sso-overview) for all the benefits of having your integration in the OIN catalog.
+Single Sign-On (SSO) is an authentication method that enables end users to sign in to multiple applications (apps) with one set of credentials. If you have customers that use Okta as an Identity Provider, you want to publish your SSO app integration to the OIN. By having your integration in the OIN catalog, your customers can easily configure SSO for your app. See [What is Single Sign-On (SSO)?](/docs/concepts/sso-overview/).
 
 To create an SSO integration for the OIN, first sign up for a free [Integrator Free Plan org](https://developer.okta.com/signup/). Next, select the type of SSO protocol that you want to implement. Okta supports two SSO standards for your integration:
 

@@ -22,7 +22,7 @@ After you've built the SSO integration in your app with the previous guidance li
 
 ### OIDC customer org credentials
 
-Okta uses a [multi-tenant](/docs/guides/oin-sso-overview/#okta-organization-and-multi-tenancy) local credential system for OIDC integrations. When your customer adds your integration in their Okta org, they obtain a unique set of OIDC credentials. Each instance of your app integration inside a customer org has a separate set of OIDC client credentials that are used to access your app.
+Okta uses a [multi-tenant](/docs/concepts/multi-tenancy/#sso-app-integrations-and-multi-tenancy) local credential system for OIDC integrations. When your customer adds your integration in their Okta org, they obtain a unique set of OIDC credentials. Each instance of your app integration inside a customer org has a separate set of OIDC client credentials that are used to access your app.
 
 This multi-tenant approach differs from other IdPs that use a global credential system, where a given app has the same customer credentials across all orgs.
 

@@ -50,7 +50,7 @@ The following table summarizes the key differences:
 
 ### Supported protocols
 
-Okta app integrations support standard protocols for both [SSO](https://developer.okta.com/docs/guides/oin-sso-overview/) and automated user provisioning:
+Okta app integrations support standard protocols for both [SSO](/docs/concepts/sso-overview/) and automated user provisioning:
 
 * [OpenID Connect (OIDC)](https://developer.okta.com/docs/concepts/oauth-openid/): Authentication protocol based on OAuth 2.0, which enables secure SSO and supports advanced security features.
 * [Security Assertion Markup Language (SAML)](https://developer.okta.com/docs/concepts/saml/): An XML-based protocol for exchanging authentication and authorization data between Okta and external apps.

@@ -297,7 +297,7 @@ You can publish your integration in the Okta Integration Network (OIN) catalog t
 If you're creating an Okta integration for the first time, Okta recommends the following sequence of guides:
 
 1. [OIN landing](/docs/guides/okta-integration-network/)
-1. [Overview of Single Sign-On in the OIN](/docs/guides/oin-sso-overview/)
+1. [What is Single Sign-On (SSO)?](/docs/concepts/sso-overview/)
 1. [Overview of lifecycle management in the OIN](/docs/guides/oin-lifecycle-mgmt-overview/)
 1. [Overview of API service apps in the OIN](/docs/guides/oin-api-service-overview/)
 1. [OIN submission requirements](/docs/guides/submit-app-prereq/)