diff --git a/packages/@okta/vuepress-site/archive/php/simplesamlphp/index.md b/packages/@okta/vuepress-site/archive/php/simplesamlphp/index.md index 911fe47ebd8..27494fc3930 100644 --- a/packages/@okta/vuepress-site/archive/php/simplesamlphp/index.md +++ b/packages/@okta/vuepress-site/archive/php/simplesamlphp/index.md @@ -23,7 +23,7 @@ If you're already familiar with Okta, you can skip to the section titled "Config Before you can configure the example application and SimpleSAMLphp you need to set up an Okta application icon that an Okta user selects to sign in to your to your application using SAML through SimpleSAMLphp. -To set up Okta to connect to your application, follow the guide to [Build a Single Sign-On integration](/docs/guides/build-sso-integration/saml2/main/). As you follow the instructions to [Create your integration](/docs/guides/build-sso-integration/saml2/main/#create-your-integration), there are two steps where you do things differently: +To set up Okta to connect to your application, follow the guide to [Build a Single Sign-On integration](/docs/guides/create-an-app-integration/saml2/main/). As you follow the instructions to [OIN submission requirements](/docs/guides/submit-app-prereq/main/#oin-wizard-requirements), there are two steps where you do things differently: * In step \#9: Use **SimpleSAMLphp Example** instead **Example SAML application**. * In step \#10: Instead of entering the URL: `http://example.com/saml/sso/example-okta-com` @@ -171,7 +171,7 @@ Configuring SimpleSAMLphp: ); ``` - Be sure to replace the contents of `${metadataUrl}` with the link that you copied in step \#10 of the [Setting up a SAML application in Okta](/docs/guides/build-sso-integration/saml2/main/#create-your-integration) instructions that you followed above. + Be sure to replace the contents of `${metadataUrl}` with the link that you copied in step \#10 that you followed above. > **Note:** The contents of `${metadataUrl}` should look similar to this: > `https://${yourOktaDomain}/app/a0b1c2deFGHIJKLMNOPQ/sso/saml/metadata` diff --git a/packages/@okta/vuepress-site/code/python/pysaml2/index.md b/packages/@okta/vuepress-site/code/python/pysaml2/index.md index 54772cda8be..4233443dd50 100755 --- a/packages/@okta/vuepress-site/code/python/pysaml2/index.md +++ b/packages/@okta/vuepress-site/code/python/pysaml2/index.md @@ -25,8 +25,8 @@ If you're already familiar with Okta, you can skip to the section titled "Config Before you can configure your application and PySAML2, set up an Okta application icon that enables an Okta user to sign in to your application with SAML and PySAML2. -To set up Okta to connect to your application, follow the [Build a Single Sign-On Integration](/docs/guides/build-sso-integration/saml2/main/) -guide. As noted in the [Create your integration](/docs/guides/build-sso-integration/saml2/main/#create-your-integration) instructions, there are two steps to change: +To set up Okta to connect to your application, follow the [Build a Single Sign-On Integration](/docs/guides/sign-in-overview/main/) +guide. As noted in the [Create your integration](/docs/guides/submit-app-prereq/main/) instructions, there are two steps to change: * In step \#9: Use **PySAML2 Example** instead of **Example SAML application**. * In step \#10: When entering the URL: diff --git a/packages/@okta/vuepress-site/conductor.yml b/packages/@okta/vuepress-site/conductor.yml index 1cdaf440276..792f1e3a798 100644 --- a/packages/@okta/vuepress-site/conductor.yml +++ b/packages/@okta/vuepress-site/conductor.yml @@ -244,13 +244,13 @@ redirects: - from: /docs/guides/saml_guidance.html to: /standards/SAML/ - from: /docs/guides/setting_up_a_saml_application_in_okta - to: /docs/guides/build-sso-integration/saml2/main/ + to: /docs/guides/create-an-app-integration/saml2/main/ - from: /docs/guides/setting_up_a_saml_application_in_okta.html - to: /docs/guides/build-sso-integration/saml2/main/ + to: /docs/guides/create-an-app-integration/saml2/main/ - from: /docs/examples/configuring_a_saml_application_in_okta - to: /docs/guides/build-sso-integration/saml2/main/ + to: /docs/guides/create-an-app-integration/saml2/main/ - from: /docs/examples/configuring_a_saml_application_in_okta.html - to: /docs/guides/build-sso-integration/saml2/main/ + to: /docs/guides/create-an-app-integration/saml2/main/ - from: /standards/SCIM/index.html to: /docs/concepts/scim/ - from: /docs/reference/api/resource-server-beta/index.html @@ -278,7 +278,7 @@ redirects: - from: /use_cases/integrate_with_okta/provisioning/index.html to: /docs/guides/scim-provisioning-integration-overview/ - from: /use_cases/integrate_with_okta/sso-with-saml/index.html - to: /docs/guides/build-sso-integration/saml2/main/ + to: /docs/guides/create-an-app-integration/saml2/main/ - from: /use_cases/isv/embedded-occ/index.html to: https://www.okta.com/integrate/documentation/embedded-okta-cloud-connect/ - from: /use_cases/isv/isv-syslog-references/index.html @@ -462,7 +462,7 @@ redirects: - from: /docs/how-to/updating_saml_cert/index.html to: /docs/guides/updating-saml-cert/ - from: /standards/SAML/setting_up_a_saml_application_in_okta/index.html - to: /docs/guides/build-sso-integration/saml2/main/ + to: /docs/guides/create-an-app-integration/saml2/main/ - from: /standards/SAML/saml_tracer/index.html to: /docs/guides/saml-tracer/ - from: /authentication-guide/implementing-authentication/set-up-authz-server/index.html @@ -792,7 +792,7 @@ redirects: - from: /docs/how-to/updating_saml_cert to: /docs/guides/updating-saml-cert/ - from: /standards/SAML/setting_up_a_saml_application_in_okta - to: /docs/guides/build-sso-integration/saml2/main/ + to: /docs/guides/create-an-app-integration/saml2/main/ - from: /standards/SAML/saml_tracer to: /docs/guides/saml-tracer/ - from: /authentication-guide/implementing-authentication/set-up-authz-server.html @@ -1066,7 +1066,7 @@ redirects: - from: /guides/revoke-tokens/-/overview/index.html to: /docs/guides/revoke-tokens/-/overview/ - from: /guides/saml-application-setup/-/overview/index.html - to: /docs/guides/build-sso-integration/saml2/main/ + to: /docs/guides/create-an-app-integration/saml2/main/ - from: /guides/sharing-cert/-/generate-new-credential/index.html to: /docs/guides/sharing-cert/main/#generate-a-new-credential-for-the-source-app - from: /guides/sharing-cert/-/overview/index.html @@ -1326,7 +1326,7 @@ redirects: - from: /guides/revoke-tokens/index.html to: /docs/guides/revoke-tokens/ - from: /guides/saml-application-setup/index.html - to: /docs/guides/build-sso-integration/saml2/main/ + to: /docs/guides/create-an-app-integration/saml2/main/ - from: /guides/session-cookie/index.html to: /docs/guides/session-cookie/ - from: /guides/sharing-cert/index.html @@ -1872,19 +1872,19 @@ redirects: - from: /docs/guides/build-sso-integration/oidc/before-you-begin/index.html to: /docs/guides/build-sso-integration/openidconnect/main/ - from: /docs/guides/build-sso-integration/saml/before-you-begin/index.html - to: /docs/guides/build-sso-integration/saml2/main/ + to: /docs/guides/create-an-app-integration/saml2/main/ - from: /docs/guides/build-sso-integration/oidc/create-your-app/index.html to: /docs/guides/build-sso-integration/openidconnect/main/ - from: /docs/guides/build-sso-integration/saml/create-your-app/index.html - to: /docs/guides/build-sso-integration/saml2/main/ + to: /docs/guides/create-an-app-integration/saml2/main/ - from: /docs/guides/build-sso-integration/oidc/submit-your-app/index.html to: /docs/guides/build-sso-integration/openidconnect/main/#next-steps - from: /docs/guides/build-sso-integration/saml2/submit-your-app/index.html - to: /docs/guides/build-sso-integration/saml2/main/#next-steps + to: /docs/guides/create-an-app-integration/saml2/main/#next-steps - from: /docs/guides/build-sso-integration/oidc/test-your-app/index.html to: /docs/guides/build-sso-integration/openidconnect/main/ - from: /docs/guides/build-sso-integration/saml/test-your-app/index.html - to: /docs/guides/build-sso-integration/saml2/main/ + to: /docs/guides/create-an-app-integration/saml2/main/ - from: /docs/guides/submit-app/prepare-for-submission/index.html to: /docs/guides/submit-app-prereq/ - from: /docs/guides/submit-app/submit/index.html @@ -1896,7 +1896,7 @@ redirects: - from: /docs/guides/build-sso-integration/openidconnect/submit-your-app/index.html to: /docs/guides/build-sso-integration/openidconnect/main/#next-steps - from: /docs/guides/build-sso-integration/saml2/submit-your-app/index.html - to: /docs/guides/build-sso-integration/saml2/main/#next-steps + to: /docs/guides/create-an-app-integration/saml2/main/#next-steps - from: /docs/guides/build-provisioning-integration/prepare-guide/index.html to: /docs/guides/scim-provisioning-integration-test/main/#next-steps - from: /docs/api/resources/oidc.html/index.html @@ -4174,29 +4174,29 @@ redirects: - from: /docs/guides/build-sso-integration/-/next-steps/index.html to: /docs/guides/build-sso-integration/ - from: /docs/guides/build-sso-integration/saml2/overview - to: /docs/guides/build-sso-integration/saml2/main/ + to: /docs/guides/create-an-app-integration/saml2/main/ - from: /docs/guides/build-sso-integration/saml2/before-you-begin - to: /docs/guides/build-sso-integration/saml2/main/ + to: /docs/guides/create-an-app-integration/saml2/main/ - from: /docs/guides/build-sso-integration/saml2/create-your-app - to: /docs/guides/build-sso-integration/saml2/main/ + to: /docs/guides/create-an-app-integration/saml2/main/ - from: /docs/guides/build-sso-integration/saml2/specify-your-settings - to: /docs/guides/build-sso-integration/saml2/main/ + to: /docs/guides/create-an-app-integration/saml2/main/ - from: /docs/guides/build-sso-integration/saml2/test-your-app - to: /docs/guides/build-sso-integration/saml2/main/ + to: /docs/guides/create-an-app-integration/saml2/main/ - from: /docs/guides/build-sso-integration/saml2/next-steps - to: /docs/guides/build-sso-integration/saml2/main/#next-steps + to: /docs/guides/create-an-app-integration/saml2/main/#next-steps - from: /docs/guides/build-sso-integration/saml2/overview/index.html - to: /docs/guides/build-sso-integration/saml2/main/ + to: /docs/guides/create-an-app-integration/saml2/main/ - from: /docs/guides/build-sso-integration/saml2/before-you-begin/index.html - to: /docs/guides/build-sso-integration/saml2/main/ + to: /docs/guides/create-an-app-integration/saml2/main/ - from: /docs/guides/build-sso-integration/saml2/create-your-app/index.html - to: /docs/guides/build-sso-integration/saml2/main/ + to: /docs/guides/create-an-app-integration/saml2/main/ - from: /docs/guides/build-sso-integration/saml2/specify-your-settings/index.html - to: /docs/guides/build-sso-integration/saml2/main/ + to: /docs/guides/create-an-app-integration/saml2/main/ - from: /docs/guides/build-sso-integration/saml2/test-your-app/index.html - to: /docs/guides/build-sso-integration/saml2/main/ + to: /docs/guides/create-an-app-integration/saml2/main/ - from: /docs/guides/build-sso-integration/saml2/next-steps/index.html - to: /docs/guides/build-sso-integration/saml2/main/#next-steps + to: /docs/guides/create-an-app-integration/saml2/main/#next-steps - from: /docs/guides/build-sso-integration/openidconnect/overview to: /docs/guides/build-sso-integration/openidconnect/main/ - from: /docs/guides/build-sso-integration/openidconnect/before-you-begin @@ -4626,47 +4626,57 @@ redirects: - from: /docs/guides/style-the-widget/next-steps/index.html to: /docs/guides/custom-widget/main/#see-also - from: /docs/guides/oin-oidc-guide/overview - to: /docs/guides/oin-sso-overview/ + to: /docs/concepts/sso-overview/ - from: /docs/guides/oin-oidc-guide/background - to: /docs/guides/oin-sso-overview/ + to: /docs/concepts/sso-overview/ - from: /docs/guides/oin-oidc-guide/protocol-level-requirements to: /docs/guides/build-sso-integration/openidconnect/main/#build-your-integration - from: /docs/guides/oin-oidc-guide/multi-tenancy - to: /docs/guides/oin-sso-overview/#okta-organization-and-multi-tenancy + to: /docs/concepts/multi-tenancy/#sso-app-integrations-and-multi-tenancy - from: /docs/guides/oin-oidc-guide/integration-best-practices - to: /docs/guides/oin-sso-overview/ + to: /docs/concepts/sso-overview/ - from: /docs/guides/oin-oidc-guide/next-steps - to: /docs/guides/oin-sso-overview/#next-steps + to: /docs/concepts/sso-overview/ - from: /docs/guides/oin-oidc-guide/overview/index.html - to: /docs/guides/oin-sso-overview/ + to: /docs/concepts/sso-overview/ - from: /docs/guides/oin-oidc-guide/background/index.html - to: /docs/guides/oin-sso-overview/ + to: /docs/concepts/sso-overview/ - from: /docs/guides/oin-oidc-guide/protocol-level-requirements/index.html to: /docs/guides/build-sso-integration/openidconnect/main/ - from: /docs/guides/oin-oidc-guide/multi-tenancy/index.html - to: /docs/guides/oin-sso-overview/#okta-organization-and-multi-tenancy + to: /docs/concepts/multi-tenancy/#sso-app-integrations-and-multi-tenancy - from: /docs/guides/oin-oidc-guide/integration-best-practices/index.html - to: /docs/guides/oin-sso-overview/ + to: /docs/concepts/sso-overview/ - from: /docs/guides/oin-oidc-guide/next-steps/index.html - to: /docs/guides/oin-sso-overview/#next-steps + to: /docs/concepts/sso-overview/ - from: /docs/guides/oin-oidc-best-practices/main - to: /docs/guides/oin-sso-overview/ + to: /docs/concepts/sso-overview/ - from: /docs/guides/oin-oidc-best-practices/main/index.html - to: /docs/guides/oin-sso-overview/ + to: /docs/concepts/sso-overview/ - from: /docs/guides/oin-oidc-best-practices/main/#rate-restrictions to: /docs/guides/build-sso-integration/openidconnect/main/#rate-limit-considerations - from: /docs/guides/oin-oidc-multi-tenancy/main - to: /docs/guides/oin-sso-overview/#okta-organization-and-multi-tenancy + to: /docs/concepts/multi-tenancy/#sso-app-integrations-and-multi-tenancy - from: /docs/guides/oin-oidc-multi-tenancy/main/index.html - to: /docs/guides/oin-sso-overview/#okta-organization-and-multi-tenancy + to: /docs/concepts/multi-tenancy/#sso-app-integrations-and-multi-tenancy - from: /docs/guides/oin-oidc-protocols/main to: /docs/guides/build-sso-integration/openidconnect/main/ - from: /docs/guides/oin-oidc-protocols/main/index.html to: /docs/guides/build-sso-integration/openidconnect/main/ - from: /docs/guides/oin-oidc-overview/main - to: /docs/guides/oin-sso-overview/ + to: /docs/concepts/sso-overview/ - from: /docs/guides/oin-oidc-overview/main/index.html - to: /docs/guides/oin-sso-overview/ + to: /docs/concepts/sso-overview/ + - from: /docs/guides/oin-sso-overview/ + to: /docs/concepts/sso-overview/ + - from: /docs/guides/oin-sso-overview/index.html + to: /docs/concepts/sso-overview/ + - from: /docs/guides/oin-sso-overview/#choose-your-sso-protocol + to: /docs/concepts/sso-overview/#choose-your-sso-protocol + - from: /docs/guides/oin-sso-overview/#okta-organization-and-multi-tenancy + to: /docs/concepts/multi-tenancy/#sso-app-integrations-and-multi-tenancy + - from: /docs/guides/oin-sso-overview/#tenants-in-okta + to: /docs/concepts/multi-tenancy/#tenants-in-okta - from: /docs/guides/third-party-risk-integration/overview to: /docs/guides/third-party-risk-integration/ - from: /docs/guides/third-party-risk-integration/overview/index.html @@ -6091,3 +6101,23 @@ redirects: to: /docs/guides/migrate-to-okta-with-scripts/main/ - from: /docs/guides/migrate-to-okta-bulk/main to: /docs/guides/migrate-to-okta-with-scripts/main/ + - from: /docs/guides/add-private-app/saml2/main/index.html + to: /docs/guides/create-an-app-integration/saml2/main/ + - from: /docs/guides/add-private-app/saml2/main + to: /docs/guides/create-an-app-integration/saml2/main/ + - from: /docs/guides/add-private-app/openidconnect/main/index.html + to: /docs/guides/create-an-app-integration/openidconnect/main/ + - from: /docs/guides/add-private-app/openidconnect/main + to: /docs/guides/create-an-app-integration/openidconnect/main/ + - from: /docs/guides/build-sso-integration/openidconnect/main/ + to: /docs/guides/create-an-app-integration/openidconnect/main/ + - from: /docs/guides/build-sso-integration/openidconnect/main/#deployment-models + to: /docs/concepts/redirect-vs-embedded/ + - from: /docs/guides/build-sso-integration/openidconnect/main/#overview + to: /docs/concepts/sso-overview/ + - from: /docs/guides/build-sso-integration/openidconnect/main/#build-your-integration + to: /docs/guides/submit-app-prereq/main/#oin-wizard-requirements + - from: /docs/guides/build-sso-integration/openidconnect/main/#scopes + to: /docs/concepts/oauth-claims/ + - from: /docs/guides/build-sso-integration/openidconnect/main/#rate-limit-considerations + to: /docs/reference/rate-limits/ diff --git a/packages/@okta/vuepress-site/docs/concepts/how-okta-works/index.md b/packages/@okta/vuepress-site/docs/concepts/how-okta-works/index.md index affbc61506f..1a9ed88d16f 100644 --- a/packages/@okta/vuepress-site/docs/concepts/how-okta-works/index.md +++ b/packages/@okta/vuepress-site/docs/concepts/how-okta-works/index.md @@ -23,7 +23,7 @@ You can use Okta to [secure your APIs](/docs/guides/protect-your-api/) and appli ##### You have more than one app, and you want to implement Single Sign-On (SSO) -Use Okta to allow your users to [sign in to other applications](/docs/guides/build-sso-integration/) instead of requiring them to remember separate sets of credentials for each application or service. Users can simply sign in once and access your full suite of applications. +Use Okta to allow your users to [sign in to other applications](/docs/guides/sign-in-overview/main/) instead of requiring them to remember separate sets of credentials for each application or service. Users can simply sign in once and access your full suite of applications. ##### You want to enforce multifactor authentication (MFA) when your users want to access sensitive data diff --git a/packages/@okta/vuepress-site/docs/concepts/multi-tenancy/index.md b/packages/@okta/vuepress-site/docs/concepts/multi-tenancy/index.md index d1f73729c83..fa928a36e3e 100644 --- a/packages/@okta/vuepress-site/docs/concepts/multi-tenancy/index.md +++ b/packages/@okta/vuepress-site/docs/concepts/multi-tenancy/index.md @@ -42,6 +42,29 @@ different types of data is shown below: +### Tenants in Okta + +In Okta, a tenant is represented as an Okta org. Each org is an isolated container that manages its own users, groups, and apps independently. Identity in Okta is scoped to the org, not globally unique across all of Okta. + +As an example, the same email address can exist as separate users in multiple orgs. For example, `alice.doe@example.com` can be a registered user in both `https://company1.okta.com` and `https://company2.okta.com` with different profile data in each. When building an app that serves multiple tenants, track which org authenticated a given user. You can't assume that profile data is consistent across orgs. + +Okta orgs host their interfaces through individual subdomains and each org is assigned a separate URL. The typical org URL is the tenant name (the subdomain) followed by the domain name. However, you can customize the domain name for your own domain and add individual aliases for each of your tenants. + +## SSO app integrations and multi-tenancy + +SSO app integrations are multi-tenant by design. Each customer (the organization deploying the SSO app) operates through a separate Okta org, and each org is a distinct tenant. The org serves as the identity provider (IdP) for that customer's users. For OpenID Connect (OIDC) integrations, the org acts as the authorization server. For SAML integrations, the org acts as the IdP. + +Because each org manages its own users, policies, and application access independently, a single app integration can serve multiple customers without their data or configurations affecting one another. + +### OIDC customer org credentials +For OpenID Connect (OIDC) integrations, Okta uses a local credential system. When your customer adds your integration in their Okta org, they obtain a unique set of OIDC credentials. Each instance of your app integration inside a customer org has a separate set of OIDC client credentials that are used to access your app. + +This local credential approach differs from other IdPs that use a global credential system, where a given app has the same customer credentials across all orgs. + +See the [OIN multi-tenancy](/docs/guides/submit-app-prereq/main/#oin-multi-tenancy) requirement. + +You must track client credentials for each app integration instance for your app. For example, consider a scenario where your app integration is added to 10 separate customer orgs. Seven of those customers create a single instance of your app integration. However, the other three customers each create two separate instances of your app integration so they can use different configuration options. This scenario creates a total of 13 sets of client credentials for your app that you need to track. + ## Why would you want more than one tenant An organization can create a tenant for various reasons. For example @@ -107,7 +130,7 @@ platform is ultimately decided by the customer. Okta offers four main configurations for multi-tenancy. They are: * [Configuration 1: Host tenants in a single org using Universal Directory (UD)](#configuration-1) -* [Configuration 2: Host tenants in separate orgs (for example, hub-and-spoke](#configuration-2) +* [Configuration 2: Host tenants in separate orgs (for example, hub-and-spoke)](#configuration-2) * [Configuration 3: Mixed. Host tenants in both single and separate orgs](#configuration-3) * [Configuration 4: Host tenants in a single org not using UD](#configuration-4) diff --git a/packages/@okta/vuepress-site/docs/concepts/oauth-claims/index.md b/packages/@okta/vuepress-site/docs/concepts/oauth-claims/index.md index c960624b195..0010fd10409 100644 --- a/packages/@okta/vuepress-site/docs/concepts/oauth-claims/index.md +++ b/packages/@okta/vuepress-site/docs/concepts/oauth-claims/index.md @@ -1,11 +1,11 @@ --- -title: OAuth 2.0 and OpenID Connect claims +title: OAuth 2.0 claims and scopes meta: - name: description - content: A high-level overview of OAuth 2.0 and OpenID Connect claims. + content: A high-level overview of OAuth 2.0 claims and scopes. --- -# Learn about OAuth 2.0 and OpenID Connect claims +# Learn about OAuth 2.0 claims and scopes [OAuth 2.0 and OpenID Connect (OIDC)](/docs/concepts/oauth-openid) claims are key-value pairs of data that contain information, typically information about a user. Okta uses these claims to provide context about the user and their permissions. @@ -27,6 +27,10 @@ During the authorization flow, an app requests specific scopes. The resulting ac You can use claims for fine-grained permissions and information to enhance the security of your apps. Scopes include bundles of claims, whereas claims provide more granularity that allows you to control access to specific resources or actions. +> **Note**: The following scopes aren't supported for integrations published in the OIN: +> * `offline_access` scope (since refresh tokens aren't supported) +> * Custom scopes (such as the `groups` scope). You can only request the [OIDC scopes](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/#scopes). You can't configure custom scopes. + ### Claims in access tokens Claims in access tokens pass information about the user and their permissions to the resource server. Access tokens can contain scopes and [custom claims](/docs/guides/customize-tokens-returned-from-okta/main/), while ID tokens can contain claims, but not scopes. diff --git a/packages/@okta/vuepress-site/docs/concepts/oauth-openid/index.md b/packages/@okta/vuepress-site/docs/concepts/oauth-openid/index.md index ce1bcfeac08..4b0f56ce1f9 100644 --- a/packages/@okta/vuepress-site/docs/concepts/oauth-openid/index.md +++ b/packages/@okta/vuepress-site/docs/concepts/oauth-openid/index.md @@ -57,7 +57,7 @@ The following describes the usual OAuth 2.0 Authorization Code flow. At the core of both OAuth 2.0 and OIDC is the authorization server. An authorization server is simply an OAuth 2.0 token minting engine. Each authorization server has a unique issuer URI and its own signing key for tokens to keep a proper boundary between security domains. In the context of this guide, Okta is your authorization server. -The authorization server also acts as an OIDC provider. This means you can request [ID tokens](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/#id-token) in addition to [access tokens](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/#access-token) from the authorization server endpoints. +The authorization server also acts as an OIDC provider. This means that you can request [ID tokens](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/#id-token) in addition to [access tokens](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/#access-token) from the authorization server endpoints. > **Note:** For information on authorization servers, how they work, and how you can use them, see [Authorization servers](/docs/concepts/auth-servers). @@ -94,6 +94,8 @@ The following table shows you which OAuth 2.0 flow to use for the type of app th > **Note**: There's also an OAuth 2.0 [SAML 2.0 Assertion flow](#saml-2-0-assertion-flow). This flow is intended for client apps that want to use an existing trust relationship without a direct user approval step at the authorization server. It supports access and ID tokens. +> **Note:** If you're building an integration for the [Okta Integration Network (OIN)](https://www.okta.com/integrations/), additional restrictions apply to your flow choice and authorization server. See [OIDC/OAuth 2.0 integration limitations](/docs/guides/submit-app-prereq/main/#oidc-oauth-2-0-integration-limitations). + ### What kind of client are you building? The type of OAuth 2.0 flow depends on what kind of client that you're building. This flowchart can quickly help you decide which flow to use. diff --git a/packages/@okta/vuepress-site/docs/concepts/redirect-vs-embedded/index.md b/packages/@okta/vuepress-site/docs/concepts/redirect-vs-embedded/index.md index 14026f28010..e1c453f210b 100644 --- a/packages/@okta/vuepress-site/docs/concepts/redirect-vs-embedded/index.md +++ b/packages/@okta/vuepress-site/docs/concepts/redirect-vs-embedded/index.md @@ -47,7 +47,7 @@ The user or system is redirected to Okta for credential verification. The user o You can customize your app's [domain](/docs/guides/custom-url-domain/) and the [Okta Sign-In Widget style](/docs/guides/custom-widget/) to match your brand. -> **Note**: [SSO](/docs/guides/build-sso-integration/) is supported for redirect authentication. This means that Okta may create a session (based on the Okta policies, for example). Other integrated apps can then use SSO to sign users in. +> **Note**: [SSO](/docs/guides/sign-in-overview/main/) is supported for redirect authentication. This means that Okta may create a session (based on the Okta policies, for example). Other integrated apps can then use SSO to sign users in. Consider, for example, when an organization uses Okta as its Identity Provider: diff --git a/packages/@okta/vuepress-site/docs/concepts/saml/index.md b/packages/@okta/vuepress-site/docs/concepts/saml/index.md index 7c19f0340a7..b69fb7d3049 100644 --- a/packages/@okta/vuepress-site/docs/concepts/saml/index.md +++ b/packages/@okta/vuepress-site/docs/concepts/saml/index.md @@ -175,4 +175,4 @@ This is important when you want to SAML-enable all users in your app. Sometimes, ### SAML toolkits -- [Use SAML toolkits](https://developer.okta.com/docs/guides/build-sso-integration/saml2/main/#use-saml-toolkits) +- [Use SAML toolkits](https://developer.okta.com/docs/guides/create-an-app-integration/saml2/main/#use-saml-toolkits) diff --git a/packages/@okta/vuepress-site/docs/concepts/sso-overview/index.md b/packages/@okta/vuepress-site/docs/concepts/sso-overview/index.md index 1196d3b39e1..48e83dfb27b 100644 --- a/packages/@okta/vuepress-site/docs/concepts/sso-overview/index.md +++ b/packages/@okta/vuepress-site/docs/concepts/sso-overview/index.md @@ -28,7 +28,7 @@ When you implement SSO, you let a central IdP handle authentication for you. SSO ## How Okta supports SSO -Okta is a cloud-based identity and access management (IAM) platform that acts as the centralized IdP for your users. Okta provides SSO integrations for thousands of cloud, on-premises, and mobile apps. The platform uses standard protocols such as OIDC, SAML, and SWA to maintain these integrations. +Okta is a cloud-based identity and access management (IAM) platform that acts as the centralized IdP for your users. Okta provides SSO integrations for thousands of cloud, on-premises, and mobile apps. The platform uses standard protocols such as OIDC, SAML, and SWA to maintain these integrations. Okta also handles user verification, multifactor authentication (MFA), and lifecycle management, providing a robust and secure foundation for your app. A user's SSO experience with Okta can happen in a few different ways: @@ -41,6 +41,18 @@ A user's SSO experience with Okta can happen in a few different ways: In these scenarios, the user only has to remember a single credential, which is managed securely by Okta. +## Choose your SSO protocol + +Okta supports two protocols for handling federated SSO: OpenID Connect (OIDC) and Security Assertion Markup Language (SAML). The SSO protocol that you choose to implement your app integration with is based on your app and use case. For new app integrations, OIDC is recommended. + +|   | ![OIDC](/img/idp-logos/oidc.png) OIDC | ![SAML](/img/idp-logos/saml.png) SAML | +| ------ | :------------------- | :----------------------- | +| **Description** | [OpenID Connect](/docs/concepts/oauth-openid/#openid-connect) extends OAuth 2.0 to provide an ID token that can be used to verify a user’s identity and sign them in to a cloud-based app. It's quickly becoming the new standard for SSO. | [Security Assertion Markup Language (SAML)](/docs/concepts/saml) is a traditional enterprise protocol for SSO in web apps. Okta supports SAML 2.0. | +| **Benefits** | | | +| **Technology** | | | +| **Resources** | | | +| **Get started** | | | + ## SSO, Single Logout (SLO), and Universal Login With SSO in Okta, a user authenticates once with Okta (the IdP) and can seamlessly access multiple apps, using federation protocols like SAML, OIDC, or WS-Fed. [​Single Logout (SLO)](/docs/guides/single-logout/saml2/main/) extends this by allowing a sign-out action from one app to propagate back to the IdP and, in turn, notify other connected apps to terminate their sessions. However, as SLO relies on each app’s protocol support, the sign-out experience can be inconsistent. @@ -51,5 +63,4 @@ Universal Logout addresses these inconsistencies by creating a more reliable, ce The Okta Integration Network (OIN) is a catalog of pre-built integrations with thousands of apps. You can easily integrate Okta SSO to apps with a guided experience that still supports the most secure configuration options. -For information on SSO integrations in the Okta Integration Network (OIN), see [Overview of Single Sign-On in the OIN](https://developer.okta.com/docs/guides/oin-sso-overview/). - +For information on SSO integrations in the Okta Integration Network (OIN), see [Publish an OIN integration](/docs/guides/submit-app-overview/). diff --git a/packages/@okta/vuepress-site/docs/guides/add-private-app/index.md b/packages/@okta/vuepress-site/docs/guides/add-private-app/index.md deleted file mode 100644 index 13b3e1b88f9..00000000000 --- a/packages/@okta/vuepress-site/docs/guides/add-private-app/index.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -title: Add a private SSO integration -meta: - - name: description - content: Learn how to add a private SSO app integration to your Okta org -layout: Guides -sections: - - main ---- diff --git a/packages/@okta/vuepress-site/docs/guides/add-private-app/main/index.md b/packages/@okta/vuepress-site/docs/guides/add-private-app/main/index.md deleted file mode 100644 index 7db847b06f8..00000000000 --- a/packages/@okta/vuepress-site/docs/guides/add-private-app/main/index.md +++ /dev/null @@ -1,94 +0,0 @@ ---- -title: Add a private SSO integration -meta: - - name: description - content: Learn how to add a private SSO app integration to your Okta org -layout: Guides ---- - -Use this guide to add a private, custom Single Sign-On (SSO) OpenID Connect (OIDC) or SAML 2.0 integration to your Okta org. Only the users of the org where you install the private integration can use it. This guide also shows you how to test the private integration in your org. - ---- - -#### Learning outcomes - -* Learn how to add a private SSO integration to your Okta org -* Learn how to test your SSO integration in your Okta org - -#### What you need - -* A functional SSO integration created in accordance with the [Build a Single Sign-On integration](/docs/guides/build-sso-integration/) guide -* An Okta org (such as an [Okta Integrator Free Plan org](https://developer.okta.com/signup)) - ---- - -## Overview - -To integrate your app for Single Sign-On (SSO) with Okta, you need to first develop your app SSO integration. Then, you need to register your app with an Okta org before you can test it. - -Registration involves creating an app integration instance in your Okta org to provide you with the SSO credentials or metadata for your app authentication requests. This integration is considered private because it's only available in the org from where the app integration instance was created. - -> **Note:** An app integration is considered public if it's available in the [Okta Integration Network (OIN) catalog](https://www.okta.com/integrations/) for all Okta customers. - -This guide assumes that you've developed your app SSO integration and want to add it to your Okta org. The instructions in this guide are generic for two SSO standards: - -* **OpenID Connect (OIDC)** (preferred) -* **Security Assertion Markup Language (SAML)** - -> **Note:** Private integrations aren't restricted to the [OIN limitations](/docs/guides/submit-app-prereq/main/#oin-limitations). You can implement the Okta features that are available on your specific Okta org. - -## Create your private integration in Okta - -After you build your app SSO integration, use the Application Integration Wizard (AIW) in the Admin Console to create your app integration instance. This instance provides you with client credentials or metadata for your SSO flows. - -> **Note:** As a best practice, create two or three extra admin users in your Okta org to manage the integration. This ensures that your team can access the integration for updates in the future. - -1. Sign in to your Integrator Free Plan org as a user with administrative privileges. -1. Go to **Applications** > **Applications** in the Admin Console. -1. Click **Create App Integration**. - - - -## Specify your integration settings - -After you create your integration instance, the main settings page appears for your new integration in the Admin Console. Specify **General Settings** and **Sign On** options, and assign the integration to users in your org. Click **Edit** if you need to change any of the options, and **Save** when you finish. - - - -## Test your integration - -This portion of the guide takes you through the steps required to test your integration. - -### Assign users - -First, you must assign your integration to one or more test users in your org: - -1. Click the **Assignments** tab. -1. Click **Assign** and then select either **Assign to People** or **Assign to Groups**. -1. Enter the appropriate people or groups that you want to have Single Sign-On into your application, and then click **Assign** for each. -1. Verify the user-specific attributes for any people that you add, and then select **Save and Go Back**. -1. Click **Done**. - -### Test Single Sign-On - -1. Sign out of your Okta org by clicking **Sign out** in the upper-right corner of the Admin Console. -1. Sign in to the Okta End-User Dashboard as a regular user assigned to the integration. - - > **Note:** If you sign in as a non-admin user to your Okta org from a browser, the End-User Dashboard appears. To access the End-User Dashboard from a mobile device, see [Okta End-User-Dashboard](https://help.okta.com/okta_help.htm?type=eu&id=ext_user_dashboard_overview). -1. Click the Okta tile for the integration and confirm that the user is signed in to your app. - - - -## Next steps - -After you test your SSO integration, communicate to your Okta org users about the custom app SSO capability. - -If you decide to publish your integration to the OIN later on: - -* Review the [Publish an OIN integration](/docs/guides/submit-app-overview/) overview to understand the submission process for publishing an integration. -* Review the [OIN submission requirements](/docs/guides/submit-app-prereq/) before starting the submission process. -* Use the [OIN Wizard: Submit an SSO integration](/docs/guides/submit-oin-app/saml2/main/) guide to test and submit your integration to the OIN. - -## See also - - diff --git a/packages/@okta/vuepress-site/docs/guides/add-private-app/main/openidconnect/create.md b/packages/@okta/vuepress-site/docs/guides/add-private-app/main/openidconnect/create.md deleted file mode 100644 index 82f6972485f..00000000000 --- a/packages/@okta/vuepress-site/docs/guides/add-private-app/main/openidconnect/create.md +++ /dev/null @@ -1,7 +0,0 @@ -4. On the Create a new app integration page, select **OpenID Connect** in the **Sign-in method** section. -1. Choose either **Web Application** or **Single-Page Application** as the **Application type** for your integration. -1. Click **Next**. -1. In **General Settings**, enter a name for your integration and (optionally) upload a logo. -1. Add your **Sign-in redirect URIs** and optional **Sign-out redirect URIs**. These URIs must be absolute URIs, and you can specify more than one. -1. In **Assignments**, assign a group or leave the **Everyone** default. Be sure to verify that the users you want to have access are assigned to the group that you select. For instructions on how to assign the app integration to individual users and groups, see the [Assign app integrations](https://help.okta.com/okta_help.htm?id=ext_Apps_Apps_Page-assign) topic in the Okta product documentation. -1. Click **Save**. diff --git a/packages/@okta/vuepress-site/docs/guides/add-private-app/main/openidconnect/see-also.md b/packages/@okta/vuepress-site/docs/guides/add-private-app/main/openidconnect/see-also.md deleted file mode 100644 index 142b3a8ab4d..00000000000 --- a/packages/@okta/vuepress-site/docs/guides/add-private-app/main/openidconnect/see-also.md +++ /dev/null @@ -1,4 +0,0 @@ -* [OAuth 2.0 vs. OpenID Connect](/docs/concepts/oauth-openid/#oauth-2-0-vs-openid-connect) -* [Okta Developer Forum: OIDC](https://devforum.okta.com/search?q=oidc) -* [Redirect authentication](/docs/guides/redirect-authentication/): for language and platform-specific redirect authentication guides -* [Embedded authentication](/docs/guides/embedded-authentication/): for language, platform-specific, and embedded-authentication use case guides \ No newline at end of file diff --git a/packages/@okta/vuepress-site/docs/guides/add-private-app/main/openidconnect/settings.md b/packages/@okta/vuepress-site/docs/guides/add-private-app/main/openidconnect/settings.md deleted file mode 100644 index d64919c67f2..00000000000 --- a/packages/@okta/vuepress-site/docs/guides/add-private-app/main/openidconnect/settings.md +++ /dev/null @@ -1,33 +0,0 @@ -### Specify OIDC settings - -* On the **General** tab, select the [grant type](/docs/guides/implement-grant-type/) for your OAuth 2.0 flow based on your app type: - - * Web app: - * **Authorization Code** (mandatory for web platform applications) - * **Refresh token** (not supported for OIN app integrations) - * **Implicit (hybrid)** (optional) Click **Advanced** to select. - > **Note:** If you're using Classic Engine, select **Implicit (hybrid)** from the **Grant type** section. - * SPA: - * **Authorization Code** - * **Implicit (hybrid)** Click **Advanced** to select. - - > **Note:** For SPA app integrations, the **Authorization Code** grant type always uses PKCE to verify the client. Also, the **Client acting on behalf of itself** grant type isn't supported in OIN app integrations. - -* If you only want to support direct SSO to your application (the integration isn't launched from the Okta End-User Dashboard), then: - 1. Enter one or more **Sign-in redirect URIs** values where Okta sends the OAuth responses. - 1. Set the **Sign-in initiated by** dropdown box to **App Only**. - 1. Leave the remaining default values. - -* If you want to support launching your application from the Okta dashboard: - 1. Enter one or more **Sign-in redirect URIs** values where Okta sends the OAuth responses. - 2. (Optional) Enter the **Sign-out redirect URIs** where Okta redirects the browser after it receives the sign-out request from the relying party. Okta also terminates the user's session. See [Configure Single Logout in app integrations](https://help.okta.com/okta_help.htm?id=ext_Apps_Single_Logout) or the [`/logout` API endpoint](https://developer.okta.com/docs/api/openapi/okta-oauth/oauth/tag/CustomAS/#tag/CustomAS/operation/logoutCustomASWithPost). - 3. Change the **Login initiated by** field to **Either Okta or App** to give your integration an Okta tile. - >**Note:** When you select this option, an **App Embed Link** section appears at the bottom of the page. The URL that the user can use to sign in to the OIDC client from outside of Okta is provided. - 4. Select **Display application icon to users**. - 5. Select the **Login flow** option. For OIN app integrations, you must select **Redirect to app to initiate login (OIDC Compliant)**. - 6. Enter or change the URI used to initiate the sign-in request. - 7. Click **Save** to commit your changes. - -* If required, you can generate a new client secret. In the **Client Credentials** section, click **Edit**, then **Generate New Client Secret**. - -> **Note:** If you generate a new set of client credentials, update your app to include the new credentials for your SSO integration. diff --git a/packages/@okta/vuepress-site/docs/guides/add-private-app/main/openidconnect/test.md b/packages/@okta/vuepress-site/docs/guides/add-private-app/main/openidconnect/test.md deleted file mode 100644 index 60122b2158f..00000000000 --- a/packages/@okta/vuepress-site/docs/guides/add-private-app/main/openidconnect/test.md +++ /dev/null @@ -1,14 +0,0 @@ -### Test Application-initiated sign-in flow - -1. Sign out of your administrator account in your development org and also sign out of your application. -1. Begin the sign-in process to your app, either through your app sign-on button or directly by pasting one of the **Sign-in redirect URIs** into your web browser address bar. Regardless of which method you choose, your browser must end up at the Okta-hosted sign-in page. -1. Sign in to your regular user account on the Okta-hosted sign-in page. -1. Confirm that Okta successfully redirects back into your application. - -### Troubleshoot issues - -If you run into issues with your sign-in process, you can try the following to troubleshoot the issues: - -* In the Admin Console of your Okta development org, go to **Reports** > **System Log** and examine any failure messages reported. -* Open the Admin Console in your web browser and examine any status messages related to your authentication request. The console errors have status codes in the 4XX range. Investigate and resolve any error messages generated by your sign-in request. -* Post your questions on the [Okta Developer Forum](https://devforum.okta.com/search?q=oidc). diff --git a/packages/@okta/vuepress-site/docs/guides/add-private-app/main/saml2/create.md b/packages/@okta/vuepress-site/docs/guides/add-private-app/main/saml2/create.md deleted file mode 100644 index 6e62d91ea71..00000000000 --- a/packages/@okta/vuepress-site/docs/guides/add-private-app/main/saml2/create.md +++ /dev/null @@ -1,32 +0,0 @@ -4. Select **SAML 2.0** in the **Sign-in method** section. -1. Click **Next**. -1. On the **General Settings** tab, enter a name for your integration and optionally upload a logo. You can also choose to hide the integration from your end user's Okta dashboard or mobile app. Click **Next**. -1. On the **Configure SAML** tab, use the SAML information that you gathered when you built your integration. See [Create SAML app integrations](https://help.okta.com/okta_help.htm?id=ext_Apps_App_Integration_Wizard-saml) in the Okta product documentation. - * In the **Single sign on URL** field, enter the Assertion Consumer Service (ACS) URL. - * Enter the Audience URI into the **Audience URI (SP Entity ID)** field. - >**Note:** If you're just testing your setup using a sample SAML SP (such as this [SAML Service Provider on GitHub](https://github.com/mcguinness/saml-sp)), enter the following test URL into the **Single sign on URL** and **Audience URI (SP Entity ID)** fields: `http://example.com/saml/sso/example-okta-com` - * Choose the **Name ID format** and **Application username** that must be sent to your application in the SAML response (for example, `EmailAddress` and `Email`) or leave the defaults. - * In the **Attribute Statements (optional)** section, enter the SAML attributes to be shared with your application. - For example: - | Name (in SAML application) | Value (in Okta profile) | - | ----------------------- | ------------------------- | - | `FirstName` | `user.firstName` | - | `LastName` | `user.lastName` | - | `Email` | `user.email` | - * If your org uses groups to categorize users, fill in the **Group Attribute Statements (optional)** section to filter by group membership in your SAML assertion. For example: - * **Name** — `groups` - * **Filter** — `Matches regex` - * **Value** — `.*` - * Click **< > Preview the SAML Assertion** in section B to preview the generated SAML assertion. - * Click **Next**. -1. In the final creation step, the **Feedback** tab helps Okta to understand how you want to position this application. - * If you're only creating an internal (private) SAML integration: - 1. Select **I'm an Okta customer adding an internal app**. More checkboxes and fields appear. - * Select the **App type** if you don't want the integration released publicly. If you select this box, you don't need to enter any further information. - * Select the **Contact app vendor** checkbox if Okta needs to contact you to enable SAML for the integration. If you select this checkbox, you need to provide further general information about your integration to the Okta OIN team. - 1. Click **Finish**. - * If you're an independent software vendor (ISV) and plan to add the SAML integration to the OIN: - 1. Select **I'm a software vendor. I'd like to integrate my app with Okta**. - 1. Click **Finish**. - > **Note:** Selecting this option doesn't automatically make your integration available in the [OIN](https://www.okta.com/integrations/). After you test your integration, [submit it](/docs/guides/submit-oin-app/saml2/main/) to the OIN team for verification and publication. See the OIN [submission process](/docs/guides/submit-app-overview/#submission-process) overview. -1. Click **Finish**. diff --git a/packages/@okta/vuepress-site/docs/guides/add-private-app/main/saml2/see-also.md b/packages/@okta/vuepress-site/docs/guides/add-private-app/main/saml2/see-also.md deleted file mode 100644 index e83237a3730..00000000000 --- a/packages/@okta/vuepress-site/docs/guides/add-private-app/main/saml2/see-also.md +++ /dev/null @@ -1,2 +0,0 @@ -* [Okta SAML FAQs](/docs/concepts/saml/faqs/) -* [Okta Developer Forum: SAML](https://devforum.okta.com/search?q=saml) diff --git a/packages/@okta/vuepress-site/docs/guides/add-private-app/main/saml2/settings.md b/packages/@okta/vuepress-site/docs/guides/add-private-app/main/saml2/settings.md deleted file mode 100644 index baffd325d2b..00000000000 --- a/packages/@okta/vuepress-site/docs/guides/add-private-app/main/saml2/settings.md +++ /dev/null @@ -1,14 +0,0 @@ -### Specify SAML settings - -* On the **General** tab, in the **Application** area, you can rename your integration and select visibility and launch options. You can also make any changes to the SAML settings if they changed from your original values. - -* On the **Sign On** tab, you can download the Identity Provider metadata for your integration. This information is needed to configure the SAML connection settings inside your SAML SP application: - 1. In the **Sign on methods** section, locate the **Metadata URL** link right before the **Credential Details** section. - 1. Click **Copy** next to the metadata URL. The metadata contained at this link has the information required by your SAML SP application. - - Okta recommends copying the **Metadata URL** link to dynamically configure the metadata. If your SP doesn't support dynamic configuration, you can click the **More details** dropdown menu to view and copy the specific properties: - * Sign-on URL - * Sign-out URL - * Issuer - * Signing Certificate - 1. In your SAML SP application, you can paste the link or the metadata as required to configure the IdP metadata. diff --git a/packages/@okta/vuepress-site/docs/guides/add-private-app/main/saml2/test.md b/packages/@okta/vuepress-site/docs/guides/add-private-app/main/saml2/test.md deleted file mode 100644 index d59259f0834..00000000000 --- a/packages/@okta/vuepress-site/docs/guides/add-private-app/main/saml2/test.md +++ /dev/null @@ -1,6 +0,0 @@ -### Troubleshoot SAML issues - -If you run into issues with your sign-in process, you can try the following to troubleshoot the issues: - -* Install the [SAML Tracer extension to Firefox](https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/) for testing, or similar tools for other browsers. -* Post your questions on the [Okta Developer Forum](https://devforum.okta.com/search?q=saml). diff --git a/packages/@okta/vuepress-site/docs/guides/build-sso-integration/index.md b/packages/@okta/vuepress-site/docs/guides/build-sso-integration/index.md deleted file mode 100644 index 66f9a8594fe..00000000000 --- a/packages/@okta/vuepress-site/docs/guides/build-sso-integration/index.md +++ /dev/null @@ -1,10 +0,0 @@ ---- -title: Build a Single Sign-On (SSO) integration -excerpt: Build an SSO app integration using SAML or OIDC for the OIN. -meta: - - name: description - content: Use this guide to learn how to build a federated Single Sign-On integration with Okta. -layout: Guides -sections: - - main ---- diff --git a/packages/@okta/vuepress-site/docs/guides/build-sso-integration/main/index.md b/packages/@okta/vuepress-site/docs/guides/build-sso-integration/main/index.md deleted file mode 100644 index e5686041551..00000000000 --- a/packages/@okta/vuepress-site/docs/guides/build-sso-integration/main/index.md +++ /dev/null @@ -1,103 +0,0 @@ ---- -title: Build a Single Sign-On (SSO) integration -excerpt: Create an app integration using Security Assertion Markup Language (SAML) or OpenID Connect (OIDC). -meta: - - name: description - content: Use this guide to learn how to integrate federated Single Sign-On with Okta for your app. -layout: Guides ---- - -This guide teaches you how to integrate your federated SSO application with Okta. This guide assumes that you intend to make this app integration public by publishing it in the Okta Integration Network (OIN). - ---- - -#### Learning outcome - -Create and test an SSO app integration for OIN submission. - -#### What you need - -* [Okta Integrator Free Plan org](https://developer.okta.com/signup/) -* An app to integrate SSO with Okta - ---- - -## Overview - -Single Sign-On (SSO) is an authentication method that enables end users to sign in to multiple applications (apps) with one set of credentials. If you have customers that use Okta as an Identity Provider, you want to publish your SSO app integration to the OIN. By having your integration in the OIN catalog, your customers can easily configure SSO for your app. See [Overview of Single Sign-On in the OIN](/docs/guides/oin-sso-overview) for all the benefits of having your integration in the OIN catalog. - -To create an SSO integration for the OIN, first sign up for a free [Integrator Free Plan org](https://developer.okta.com/signup/). Next, select the type of SSO protocol that you want to implement. Okta supports two SSO standards for your integration: - -* **OpenID Connect (OIDC)** (preferred) -* **Security Assertion Markup Language (SAML)** - -Okta recommends using OIDC for new SSO integrations. - -> **Note:** Not all Okta SSO features are supported in the OIN. See [OIN limitations](/docs/guides/submit-app-prereq/main/#oin-limitations). - -### Deployment models - -After you've decided on a protocol, select a deployment model. Okta offers [redirect](/docs/concepts/redirect-vs-embedded/#redirect-authentication) or [embedded](/docs/concepts/redirect-vs-embedded/#embedded-authentication) authentication deploy models. Redirect authentication uses the [Okta Sign-In Widget](https://github.com/okta/okta-signin-widget#okta-sign-in-widget) and is the easiest, most secure way to integrate with Okta. - -Okta recommends the redirect authentication deployment model if your situation meets the [requirements](/docs/concepts/redirect-vs-embedded/#redirect-okta-hosted-vs-embedded-self-hosted). For more information on deployment models, see [Okta deployment models—redirect vs. embedded](/docs/concepts/redirect-vs-embedded/). - -## Build your integration - - - -## Create your integration in Okta - -> **Note**: This section assumes that you already built the SSO integration in your app. - -Instructions for adding your SSO integration into Okta depend on if you want to provide a public or private integration: - -
- -![Public or private integration decision](/img/oin/publicOrPrivateIntegration.png) - -
- - - -### Submit an OIN integration - -If you want to publish your integration in the Okta Integration Network (OIN), follow the instructions in [OIN Wizard: Submit an SSO integration](/docs/guides/submit-oin-app/). This guide shows you how to use the OIN Wizard to: - -* Add required integration artifacts and metadata. -* Create an app integration instance for testing. -* Test your SSO flows. -* Submit your integration for OIN verification. - -Having your SSO integration public in the OIN catalog provides you with exposure to all Okta customers. - -> **Notes:** -> * Creating an app integration instance doesn't automatically make it available in the [OIN](https://www.okta.com/integrations/). After you test your integration, [submit it](/docs/guides/submit-oin-app/-/main/#submit-your-integration) to the OIN team for verification and publication. -> * The OIN Wizard doesn't support new SSO integrations with more than three app instance variables or advanced SAML features. - -### Add a private integration - -If you want your integration to exist only in your Okta org, follow the instructions in [Add a private SSO integration](/docs/guides/add-private-app/). This guide shows you how to use the Application Integration Wizard (AIW) in the Admin Console to: - -* Create your app integration instance. -* Test your SSO flows. - -Your org users can access your app after SSO is configured. - -The following are common use cases for adding a private SSO integration: - -* I want to test my SSO integration in my Integrator Free Plan org. I have no immediate plans to have it publicly available. -* I want my SSO integration to only be available in the org I'm using. -* I have a SAML integration with more than three instance variables and advanced SAML features that aren't included in the OIN Wizard. - -## Next steps - -If you want to publish your integration, start the submission process to have your SSO integration included in the OIN: - -* Review the [Publish an OIN integration](/docs/guides/submit-app-overview/) overview to understand the submission process for publishing an integration. -* Follow the [OIN Wizard: Submit an SSO integration](/docs/guides/submit-oin-app/) guide to submit your SSO integration. - -## See also - - diff --git a/packages/@okta/vuepress-site/docs/guides/build-sso-integration/main/openidconnect/prep.md b/packages/@okta/vuepress-site/docs/guides/build-sso-integration/main/openidconnect/prep.md deleted file mode 100644 index eba73113c2f..00000000000 --- a/packages/@okta/vuepress-site/docs/guides/build-sso-integration/main/openidconnect/prep.md +++ /dev/null @@ -1,145 +0,0 @@ -If you haven't built the OIDC service in your app yet, review the [OAuth 2.0 and OpenID Connect Overview](/docs/concepts/oauth-openid/). - -For OIDC integrations that you want to publish in the OIN catalog, review the following implementation topics: - -1. Use the Authorization Code flow with client secrets for your app. Select **Web Application** as the OIDC app type when you create your app integration in your Okta org. -1. [Determine the scopes](#scopes) that you require for your OIDC client (your app). -1. Consider how your app stores [customer client credentials](#oidc-customer-org-credentials). -1. Understand how to [validate tokens](#token-validation) in your OIDC client. - - > **Note:** You can't use the Okta SDKs to validate access tokens for apps in the OIN. This is due to the OIN restriction of using an org authorization server and the Authorization Code flow. - -1. Implement credential rotation in your app. - - Your app must support automatic credential rotation. See [key rotation](#key-rotation). -1. Determine the sign-in redirect URIs for your app. - - A redirect URI is where Okta sends the authentication response and ID token during the sign-in flow. You can specify more than one URI if required. - -1. [Consider rate limits](#rate-limit-considerations) when you build your integration. - -After you've built the SSO integration in your app with the previous guidance list, test it with an Okta app integration instance. See [Create your integration in Okta](#create-your-integration-in-okta). - -### OIDC customer org credentials - -Okta uses a [multi-tenant](/docs/guides/oin-sso-overview/#okta-organization-and-multi-tenancy) local credential system for OIDC integrations. When your customer adds your integration in their Okta org, they obtain a unique set of OIDC credentials. Each instance of your app integration inside a customer org has a separate set of OIDC client credentials that are used to access your app. - -This multi-tenant approach differs from other IdPs that use a global credential system, where a given app has the same customer credentials across all orgs. - -See the [OIN multi-tenancy](/docs/guides/submit-app-prereq/main/#oin-multi-tenancy) requirement. - -You must track client credentials for each app integration instance for your app. For example, consider a scenario where your app integration is added to 10 separate customer orgs. Seven of those customers create a single instance of your app integration. However, the other three customers each create two separate instances of your app integration so they can use different configuration options. This scenario creates a total of 13 sets of client credentials for your app that you need to track. - -### Determine the OAuth 2.0 flow to use - -> **Note:** Quickstarts and example links provided in this section may use features not supported in the OIN. For example, the use of a custom authorization server isn't supported. - -Select the OAuth 2.0 flow to use based on your app: - -* For web apps: - - Okta mandates the [Authorization Code flow](/docs/guides/implement-grant-type/authcode/main/). This flow is used for apps with a dedicated server-side backend capable of securely storing a client secret. The app integration can also exchange information with an authorization server through trusted back-channel connections. - > **Note:** The implicit flow is extremely challenging to implement securely. Therefore, Okta doesn’t recommend its use for token exchange in web apps. If your use case requires the use of an implicit flow for token exchange, contact [Okta Support](https://support.okta.com). - -* For single-page apps (SPA) and mobile apps: - - The OIN doesn’t support direct authentication from SPAs or native mobile apps. Instead, your backend systems must handle authentication. - -In this architecture, your SPA or mobile app shouldn’t manage tokens directly. Instead, use an intermediary system, such as an API gateway or a backend-for-frontend service, to facilitate communication between your client app and the resource server. Okta recommends implementing the authorization code flow for secure authentication and token exchange. - -> **Notes:** -> * Ensure that you select **Web Application** as the OIDC app type when you create your app integration in your Okta org. -> * Native and mobile app integrations aren't accepted as OIDC app integrations in the OIN unless they use server-side authentication patterns. Set up your app to use an authentication flow that allows your client app to talk to your SaaS backend. Your SaaS backend can then securely communicate with Okta through trusted back-channel connections. See [Implement the authorization code flow](/docs/guides/implement-grant-type/authcode/main/) to implement the OAuth 2.0 flow - -When you follow these guides, be aware of the authorization server used. Most of the examples show you how to make an `/authorize` or `/token` request using a [custom authorization server](/docs/concepts/auth-servers/#custom-authorization-server). To support the potentially large number of Okta orgs accessing it through the OIN, an OIDC integration can't use a custom authorization server (this includes the `default` server). Therefore, for OIN OIDC apps, you can only use the [org authorization server](/docs/concepts/auth-servers/#org-authorization-server). - -For example, the following are the various `/authorize` request URLs for the different authorization servers: - -**custom authorization server**: `https://{customerOktaDomain}/oauth2/{authorizationServerId}/v1/authorize?client_id={clientId}&response_type=code&scope=openid&redirect_uri={redirectURI}&state={state}` - -**default custom authorization server**(`{authorizationServerId}=default`): `https://{customerOktaDomain}/oauth2/default/v1/authorize?client_id={clientId}&response_type=code&scope=openid&redirect_uri={redirectURI}&state={state}` - -**org authorization server**:`https://{customerOktaDomain}/oauth2/v1/authorize?client_id={clientId}&response_type=code&scope=openid&redirect_uri={redirectURI}&state={state}` - -Make sure you only use the **org authorization server** URL. - -> **Notes:** -> * When you use the org authorization server, the issuer URL is `https://{yourOktaDomain}`. -> * The `refresh_token` option isn't supported for apps published in the OIN. - -### Scopes - -Your OIDC client needs to use scope values to define the access privileges being requested with individual access tokens. The scopes associated with access tokens determine what resources are available when the tokens are used to access the protected endpoints. You can use scopes to request that specific sets of values be available as claim information about the end user. - -The only scope that you must declare is `openid`. When the authentication request is sent to Okta, the `openid` scope identifies the request as being an OIDC request. - -Other optional scopes available (these are returned from the `/userinfo` endpoint): - -* `profile`: The end user's default profile claims: `name`, `family_name`, `given_name`, `middle_name`, `nickname`, `preferred_username`, `profile`, `picture`, `website`, `gender`, `birthdate`, `zoneinfo`, `locale`, and `updated_at` -* `email`: Requests access to the `email` and `email_verified` claims - - > **Note:** Don't rely on the `email_verified` scope-dependent claim returned by an OIDC integration to evaluate whether a user has verified ownership of the email address associated with their profile. - -* `address`: Requests access to the `address` claim -* `phone`: Requests access to the `phone_number` and `phone_number_verified` claims - -> **Note**: The following scopes aren't supported for integrations published in the OIN: -> * `offline_access` scope (since refresh tokens aren't supported) -> * Custom scopes (such as the `groups` scope). You can only request the [OIDC scopes](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/#scopes). You can't configure custom scopes. - -Okta uses access policies to decide whether to grant scopes. If any of the requested scopes are rejected by the access policies, Okta rejects the request. - -### Uniform Resource Identifier (URI) - -There are three URIs that you need to consider when creating an OIDC app for the OIN: - -1. **Sign-in redirect URIs**: After the user is successfully authorized by Okta, this is the callback location where the user is directed along with the authorization code. This URI must exactly match at least one of the redirect URI values that are pre-registered in the Okta app integration settings. -2. Optional. **Initiate login URI**: This URI is used if the app is launched from the End-User Dashboard (known as an IdP-initiated flow), and you want your Okta integration to handle redirecting your users to your app to start the sign-in request. When users click your app in their End-User Dashboard, they’re redirected to the `initiate_login_uri` of the client app, which constructs the authentication request and redirects the end user back to the authorization server. This URI must exactly match the Initiate URI value that is pre-registered in the Okta app integration settings. -3. Optional. **Sign-out redirect URIs**: A location to send the user after a sign-out operation is performed and their session is terminated. Otherwise, the user is redirected back to the sign-in page. - -### Token validation - -For checking access tokens, the `/introspect` [endpoint](https://developer.okta.com/docs/api/openapi/okta-oauth/oauth/tag/CustomAS/#tag/CustomAS/operation/introspectCustomAS) takes your token as a URL query parameter and then returns a simple JSON response with the boolean `active` property. - -As OIN app integrations can't use custom authorization servers, you must use remote token validation (through the Introspection API endpoint) for access tokens and local validation for ID tokens. - -This remote validation incurs a network cost, but you can use it when you want to guarantee that the access token hasn't been revoked. - -> **Note:** You can't use the Okta SDKs for OIN app integration development if you need to validate access tokens with the org authorization server. This is due to the OIN restriction of using an org authorization server and the Authorization Code flow. - -### Key rotation - -The standard behavior in identity and access management is to rotate the keys used to sign tokens. Okta changes these keys typically four times a year (every 90 days), but that rotation schedule can change without notice. Okta automatically rotates the keys for your authorization server on a regular basis. - -Your OIDC client should periodically query the `/keys` endpoint and retrieve the JSON Web Key Set. This key set contains the public keys used to verify the signatures of the tokens received from Okta. You can cache the keys to improve performance, but be aware that verification fails when Okta automatically rotates the keys. - -See [key rotation](/docs/concepts/key-rotation/) or the `/keys` [API endpoint](https://developer.okta.com/docs/api/openapi/okta-oauth/oauth/tag/CustomAS/#tag/CustomAS/operation/oauthKeysCustomAS) for specific details on handling queries and responses. - -### Rate limit considerations - -When you construct your SSO app, be aware of the limits on requests to Okta APIs. For information on the rate-limit categories, see the [Rate limits overview](/docs/reference/rate-limits/). Okta provides three headers in each response to report on both concurrent and org-wide rate limits. - -For org-wide rate limits, the following three headers are provided: - -* `X-Rate-Limit-Limit`: The rate limit ceiling that applies to the current request -* `X-Rate-Limit-Remaining`: The amount of requests left for the current rate-limit window -* `X-Rate-Limit-Reset`: The time when the rate limit resets, specified in UTC epoch time - -To monitor org-wide rate limits, include code in your app to check the relevant headers in the response. - -For concurrent rate limits, the three headers behave a little differently: - -* When the number of unfinished requests is below the concurrent rate limit, request headers only report org-wide rate limits. -* After you exceed a concurrent rate limit, the headers report that the limit has been exceeded. -* When you drop back down below the concurrent rate limit, the headers switch back to reporting the time-based rate limits. -* The first two header values are always `0` for concurrent rate limit errors. The third header reports an estimated time interval when the concurrent rate limit may be resolved. -* The `X-Rate-Limit-Reset` time for concurrent rate limits is only a suggested value. There's no guarantee that enough requests can complete for the requests to go below the concurrent rate limit at the time indicated. - -The error condition resolves itself when there's another concurrent thread available. Normally no intervention is required. You may be exceeding the concurrent rate limit if you notice frequent bursts of HTTP 429 errors. Examine the activities in the log before the burst of HTTP 429 errors appeared. If you can't identify what is causing you to exceed the limit, contact [Okta Support](https://support.okta.com). - -You can request a temporary rate limit increase if you anticipate a large number of requests over a specified time period. Contact [Okta Support](https://support.okta.com) to open a ticket to permit the exception. See [How to Request a Temporary Rate Limit Increase](https://support.okta.com/help/s/article/How-can-we-request-to-have-the-rate-limit-for-our-org-temporarily-increased?language=en_US). - -> **Note:** The following public metadata endpoints aren't subjected to rate limits: -> * `/oauth2/v1/keys` -> * `/.well-known/openid-configuration` -> * `/.well-known/oauth-authorization-server` diff --git a/packages/@okta/vuepress-site/docs/guides/build-sso-integration/main/openidconnect/see-also.md b/packages/@okta/vuepress-site/docs/guides/build-sso-integration/main/openidconnect/see-also.md deleted file mode 100644 index d78bbb117d4..00000000000 --- a/packages/@okta/vuepress-site/docs/guides/build-sso-integration/main/openidconnect/see-also.md +++ /dev/null @@ -1,5 +0,0 @@ -* [OAuth 2.0 vs. OpenID Connect](/docs/concepts/oauth-openid/#oauth-2-0-vs-openid-connect) -* [Express Configuration](/docs/guides/express-configuration/main/) -* [Okta Developer Forum: OIDC](https://devforum.okta.com/search?q=oidc) -* [Redirect authentication](/docs/guides/redirect-authentication/): for language and platform-specific redirect authentication guides -* [Embedded authentication](/docs/guides/embedded-authentication/): for language, platform-specific, and embedded-authentication use case guides \ No newline at end of file diff --git a/packages/@okta/vuepress-site/docs/guides/build-sso-integration/main/saml2/prep.md b/packages/@okta/vuepress-site/docs/guides/build-sso-integration/main/saml2/prep.md deleted file mode 100644 index 75ee3a08a02..00000000000 --- a/packages/@okta/vuepress-site/docs/guides/build-sso-integration/main/saml2/prep.md +++ /dev/null @@ -1,32 +0,0 @@ -If you're unfamiliar with [SAML 2.0](https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html), review the following Okta topics first: - -* [SAML concept](/docs/concepts/saml/) -* [Okta SAML FAQs](/docs/concepts/saml/faqs/) - -### Use SAML toolkits - -To quickly build your SSO integration, use an open source or paid tool kit to implement SAML 2.0. Use these different language kits to create the Service Provider WebSSO profile: - -* .NET framework 4.5 or later: [Sustainsys.Saml2](https://github.com/Sustainsys/Saml2) (Kentor authentication services) -* .NET framework 4.0 or earlier: [ComponentSpace SAML 2.0 for ASP.NET and ASP.NET Core](https://www.componentspace.com/) (paid software) -* Java: [OpenSAML](https://wiki.shibboleth.net/confluence/display/OS30/Home) (part of the [Shibboleth Development Project](https://www.shibboleth.net/)) -* Java: [Spring Security SAML](/code/java/spring_security_saml) -* Python: [PySAML2](/code/python/pysaml2) -* Ruby: [Ruby-SAML](https://github.com/onelogin/ruby-saml) - ->**Note:** Okta doesn't own or maintain these toolkits. - -### Gather SAML attributes - -Obtain SAML integration attributes before you create an app integration instance in Okta. - -In a SAML integration, Okta is the Identity Provider (IdP), and your app is the Service Provider (SP). - -1. Determine the default assertion consumer service (ACS) URL for your integration. This is often referred to as the SP sign-in URL. This is the endpoint on your app where the SAML responses are posted. -1. Find your audience URI. This is sometimes referred to as the SP entity ID or the entity ID of your app. -1. Set up a default relay state page, where users land after they successfully sign in to the SP using SAML. This must be a valid URL. (Optional) -1. Gather any required SAML attributes that are relevant to the target app. You can share Okta user profile values or group memberships as SAML attributes with your app. - ->**Notes:** Okta doesn't impose a limit on the number of attributes that you can include in a SAML assertion. However, the target app or browser may have issues or even reject large SAML payloads. Okta recommends that you keep the number of attributes to a minimum and include only those necessary for the app. -> ->SAML integrations must use SHA256 encryption for security. If you're using SHA-1 for encryption, see our guide on how to [Upgrade SAML Apps to SHA256](/docs/guides/updating-saml-cert/). diff --git a/packages/@okta/vuepress-site/docs/guides/build-sso-integration/main/saml2/see-also.md b/packages/@okta/vuepress-site/docs/guides/build-sso-integration/main/saml2/see-also.md deleted file mode 100644 index 8d7441b0255..00000000000 --- a/packages/@okta/vuepress-site/docs/guides/build-sso-integration/main/saml2/see-also.md +++ /dev/null @@ -1 +0,0 @@ -[Okta Developer Forum: SAML](https://devforum.okta.com/search?q=saml) diff --git a/packages/@okta/vuepress-site/docs/guides/create-an-app-integration/main/index.md b/packages/@okta/vuepress-site/docs/guides/create-an-app-integration/main/index.md index ddf0abdd632..e3fd11d9816 100644 --- a/packages/@okta/vuepress-site/docs/guides/create-an-app-integration/main/index.md +++ b/packages/@okta/vuepress-site/docs/guides/create-an-app-integration/main/index.md @@ -12,11 +12,13 @@ This guide explains what an app integration is, why you need one, and how to cre * Learn about app integrations in Okta. * Learn how to create the app integration. +* Learn how to test your sso integration in your okta org. #### What you need * An [Okta Integrator Free Plan org](https://developer.okta.com/signup/). * An admin user in the Integrator Free Plan org with either the super admin or the app and org admin roles. +* A functional SSO integration created in accordance with the [Build a Single Sign-On integration](/docs/guides/sign-in-overview/main/) guide. --- @@ -50,7 +52,7 @@ The following table summarizes the key differences: ### Supported protocols -Okta app integrations support standard protocols for both [SSO](https://developer.okta.com/docs/guides/oin-sso-overview/) and automated user provisioning: +Okta app integrations support standard protocols for both [SSO](/docs/concepts/sso-overview/) and automated user provisioning: * [OpenID Connect (OIDC)](https://developer.okta.com/docs/concepts/oauth-openid/): Authentication protocol based on OAuth 2.0, which enables secure SSO and supports advanced security features. * [Security Assertion Markup Language (SAML)](https://developer.okta.com/docs/concepts/saml/): An XML-based protocol for exchanging authentication and authorization data between Okta and external apps. @@ -89,21 +91,18 @@ Okta adds an instance of the app integration to your org, and you can now assign ### Create a custom app integration -You can add an app integration that doesn't exist in the OIN, using the App Integration Wizard (AIW). The wizard allows you to create an app integration and connect Okta with your SAML, OIDC, SWA, or SCIM app. You can also add SCIM provisioning to a custom app integration. +You can add an app integration that doesn't exist in the OIN, using the App Integration Wizard (AIW). The wizard allows you to create a custom app integration for your app and connect Okta with your SAML, OIDC, SWA, or SCIM app. You can also add SCIM provisioning to a custom app integration. -1. Open the Admin Console for your org. -2. Go to **Applications > Applications**. -3. Click **Create App Integration**. -4. Choose the integration type that matches your app’s requirements. -5. Ensure that you have the following integration settings ready: - - +>**Note**: As a best practice, create two or three extra admin users in your Okta org to manage the integration. This ensures that your team can access the integration for updates in the future. -6. Create the integration. See: +1. Open the Admin Console for your org. +1. Go to **Applications > Applications**. +1. Click **Create App Integration**. +1. Select the required integration type in the **Sign in Method** section. -After you create your integration, you can assign it to your users in your org. + -The integration you created is private and visible only within your own Okta org. If you want to make your app integration publicly available in the OIN, see [Publish an OIN integration](https://developer.okta.com/docs/guides/submit-app-overview/). +>**Note:** This custom integration is only visible within your Okta org. To modify settings after creation, click **Edit** on the main app page. To configure your SP app, copy the **Metadata URL** from the **Sign On** tab, or click **More details** to manually copy individual URLs and certificates. To make your app publicly available later, see [Publish an OIN integration](/docs/guides/submit-app-overview/). ### Create an API Service Integration @@ -115,10 +114,21 @@ To build, test, and submit your API service integration to the OIN catalog. See Once your app is set up: -1. Assign the app to a test user or group from **Assignments**. -2. Log in to the Okta End-User Dashboard. -3. Click the app and verify successful redirection/authentication. -4. Review tokens or SAML assertions using developer tools or Okta logs. +1. Assign users: + + a. Click the **Assignments** tab. + + b. Click **Assign** and then select either **Assign to People** or **Assign to Groups**. + + c. Enter the appropriate people or groups that you want to have Single Sign-On into your app, click **Assign** for each, verify user attributes, and select **Save and Go Back**. + + d. Click **Done**. + +1. Test SSO: Sign in to the Okta End-User Dashboard as a test user and click the app tile. + +1. Verify redirection: Ensure the app-initiated flow correctly redirects back from the Okta sign-in page to your app. + +1. Troubleshoot: If issues occur, navigate to **Reports** > **System Log** to examine failure messages or *4XX* status codes. You can also post your questions on the [Okta Developer Forum](https://devforum.okta.com/search?q=oidc). ## See also \ No newline at end of file diff --git a/packages/@okta/vuepress-site/docs/guides/create-an-app-integration/main/openidconnect/integration.md b/packages/@okta/vuepress-site/docs/guides/create-an-app-integration/main/openidconnect/integration.md deleted file mode 100644 index 36e296302bc..00000000000 --- a/packages/@okta/vuepress-site/docs/guides/create-an-app-integration/main/openidconnect/integration.md +++ /dev/null @@ -1 +0,0 @@ -[Create OpenID Connect app integrations](https://help.okta.com/okta_help.htm?type=oie&id=ext_Apps_App_Integration_Wizard-oidc) \ No newline at end of file diff --git a/packages/@okta/vuepress-site/docs/guides/create-an-app-integration/main/openidconnect/protocol-config.md b/packages/@okta/vuepress-site/docs/guides/create-an-app-integration/main/openidconnect/protocol-config.md index 3b4f3762a50..bb97b410c44 100644 --- a/packages/@okta/vuepress-site/docs/guides/create-an-app-integration/main/openidconnect/protocol-config.md +++ b/packages/@okta/vuepress-site/docs/guides/create-an-app-integration/main/openidconnect/protocol-config.md @@ -1,6 +1,34 @@ -* App integration name -* Controlled access -* Sign-in redirect URIs -* Grant types -* Controlled access -* Details on the sign-in initiation flow \ No newline at end of file +5. Choose either **Web Application** or **Single-Page Application** as the **Application type** for your integration and click **Next**. +6. Configure the following integration settings on the **General Settings** tab: + + * **App integration name** - Enter a name for your integration and (optionally) upload a logo. + + * **Grant types** - Select the [grant type](/docs/guides/implement-grant-type/) for your OAuth 2.0 flow based on your app type: + - **Web app:** + - **Client credentials** (Supported for service-to-service communication when a user isn't present.) + - **Authorization Code** (mandatory for web platform applications) + - **Refresh token** (not supported for OIN app integrations) + - **Implicit (hybrid)** (optional) — click **Advanced** to select. + + >**Note:** If you're using Classic Engine, select **Implicit (hybrid)** from the **Grant type** section. + + - **SPA:** + - **Authorization Code** + - **Implicit (hybrid)** — Click **Advanced** to select. + + >**Note:** For SPA app integrations, the **Authorization Code** grant type always uses PKCE to verify the client. Also, the **Client acting on behalf of itself** grant type isn't supported in OIN app integrations. + + * **Sign-in redirect URIs** - Enter the absolute URIs where Okta sends OAuth responses. You can specify more than one. + + * **Sign-out redirect URIs (Optional)** - Enter the URIs where Okta redirects users after sign-out. + + * **Login initiation** - Configure the settings based on your sign-in initiation flow to determine how the integration appears as a tile on the Okta End-User Dashboard: + - If you only support direct SSO from your app, set **Login initiated by to App Only**. + - If you want a dashboard tile, set **Login initiated by to Either Okta or App**. This reveals the **App Embed Link** and allows you to select **Display application icon to users**. + - Set the **Login flow to Redirect to app to initiate login (OIDC compliant)** and provide the URI used to initiate the request. + + * **Assignments** - Assign a group or leave the **Everyone** default. Ensure that the intended users are assigned to the selected group. +7. Click **Save**. + +8. To build and finalize your implementation settings details, see [Create OpenID Connect app integrations](https://help.okta.com/okta_help.htm?type=oie&id=ext_Apps_App_Integration_Wizard-oidc) + diff --git a/packages/@okta/vuepress-site/docs/guides/create-an-app-integration/main/openidconnect/see-also.md b/packages/@okta/vuepress-site/docs/guides/create-an-app-integration/main/openidconnect/see-also.md index 8280c1eb922..9d46980b4c5 100644 --- a/packages/@okta/vuepress-site/docs/guides/create-an-app-integration/main/openidconnect/see-also.md +++ b/packages/@okta/vuepress-site/docs/guides/create-an-app-integration/main/openidconnect/see-also.md @@ -1,2 +1,2 @@ -* See [Build a SSO integration](https://developer.okta.com/docs/guides/build-sso-integration/openidconnect/main/) for information on how to make your SSO app integration publish in the OIN. +* See [Build a SSO integration](https://developer.okta.com/docs/guides/create-an-app-integration/openidconnect/main/) for information on how to make your SSO app integration publish in the OIN. * See [Publish an OIN integration](https://developer.okta.com/docs/guides/submit-app-overview/) for information on submitting your integration for publication in the OIN. \ No newline at end of file diff --git a/packages/@okta/vuepress-site/docs/guides/create-an-app-integration/main/saml2/integration.md b/packages/@okta/vuepress-site/docs/guides/create-an-app-integration/main/saml2/integration.md deleted file mode 100644 index 9f4e2382aa4..00000000000 --- a/packages/@okta/vuepress-site/docs/guides/create-an-app-integration/main/saml2/integration.md +++ /dev/null @@ -1 +0,0 @@ -[Create SAML app integrations](https://help.okta.com/okta_help.htm?type=oie&id=ext_Apps_App_Integration_Wizard-saml) \ No newline at end of file diff --git a/packages/@okta/vuepress-site/docs/guides/create-an-app-integration/main/saml2/protocol-config.md b/packages/@okta/vuepress-site/docs/guides/create-an-app-integration/main/saml2/protocol-config.md index 49a2f9c9966..942512aef10 100644 --- a/packages/@okta/vuepress-site/docs/guides/create-an-app-integration/main/saml2/protocol-config.md +++ b/packages/@okta/vuepress-site/docs/guides/create-an-app-integration/main/saml2/protocol-config.md @@ -1,6 +1,41 @@ -* App name -* SSO URL or ACS URL -* Audience URI (SP Entity ID) -* Name ID format and attribute statement -* Signed SAML assertions -See [Application Integration Wizard SAML field reference](https://help.okta.com/okta_help.htm?type=oie&id=csh-attribute-statements-saml) for details. +5. On the **General Settings** tab, enter a name for your integration and optionally upload a logo. You can also choose to hide the integration from your end user's Okta dashboard or mobile app. Click **Next**. +6. On the **Configure SAML** tab, configure the following integration settings using the SAML information that you gathered when you built your integration: + + * **Single sign on URL** field - Enter the Assertion Consumer Service (ACS) URL. + + * **Audience URI (SP Entity ID)** field - Enter the unique identifier for your app. + + > **Note:** If you're just testing your setup using a sample SAML SP (such as a sample SAML Service Provider on GitHub), enter the following test URL into the **Single sign on URL** and **Audience URI (SP Entity ID)** fields: + + ``` + http://example.com/saml/sso/example-okta-com + ``` + + * Choose the **Name ID format** and **Application username** that must be sent to your app in the SAML response (for example, `EmailAddress` and `Email`) or leave the defaults. + + * **Attribute Statements (optional)** section - Enter the SAML attributes to be shared with your application. For example: + + | Name (in SAML application) | Value (in Okta profile) | + |---|---| + | `FirstName` | `user.firstName` | + | `LastName` | `user.lastName` | + | `Email` | `user.email` | + + * If your org uses groups to categorize users, fill in the **Group Attribute Statements (optional)** section to filter by group membership in your SAML assertion. For example: + + - **Name** — `groups` + - **Filter** — `Matches regex` + - **Value** — `.*` + + * Click < > **Preview the SAML Assertion** in section B to preview the generated SAML assertion. + + * Click **Next**. + +7. On the **Feedback** tab, select how you want to position this app: + + * **Internal (Private) Apps**: Select **I'm an Okta customer adding an internal app**. You can then specify the app type or indicate if the vendor needs to be contacted. + * **OIN-bound Apps**: If you’re an ISV, select **I'm a software vendor. I'd like to integrate my app with Okta**. This doesn’t make it public automatically. It prepares the integration for OIN submission. + +8. Click **Finish**. + +9. To build and finalize your implementation settings details, see: [Create SAML app integrations](https://help.okta.com/okta_help.htm?type=oie&id=ext_Apps_App_Integration_Wizard-saml). diff --git a/packages/@okta/vuepress-site/docs/guides/create-an-app-integration/main/saml2/see-also.md b/packages/@okta/vuepress-site/docs/guides/create-an-app-integration/main/saml2/see-also.md index 1d406e45e98..0d7c2753710 100644 --- a/packages/@okta/vuepress-site/docs/guides/create-an-app-integration/main/saml2/see-also.md +++ b/packages/@okta/vuepress-site/docs/guides/create-an-app-integration/main/saml2/see-also.md @@ -1,2 +1,4 @@ * See [Publish an OIN integration](https://developer.okta.com/docs/guides/submit-app-overview/) for information on submitting your integration for publication in the OIN. -* See [SAML technical questions](https://developer.okta.com/docs/concepts/saml/faqs/) for answers to common questions about SAML integrations. \ No newline at end of file +* See [SAML technical questions](https://developer.okta.com/docs/concepts/saml/faqs/) for answers to common questions about SAML integrations. +* For an overview of how Okta uses SAML, see the [SAML concept](/docs/concepts/saml/) topic. +* For the SAML 2.0 specification, see the [SAML 2.0 Technical Overview](https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html). diff --git a/packages/@okta/vuepress-site/docs/guides/create-an-app-integration/main/scim/integration.md b/packages/@okta/vuepress-site/docs/guides/create-an-app-integration/main/scim/integration.md deleted file mode 100644 index 93ad4398297..00000000000 --- a/packages/@okta/vuepress-site/docs/guides/create-an-app-integration/main/scim/integration.md +++ /dev/null @@ -1 +0,0 @@ -[Add SCIM provisioning to app integrations](https://help.okta.com/okta_help.htm?type=oie&id=ext_Apps_App_Integration_Wizard-scim) diff --git a/packages/@okta/vuepress-site/docs/guides/create-an-app-integration/main/scim/protocol-config.md b/packages/@okta/vuepress-site/docs/guides/create-an-app-integration/main/scim/protocol-config.md index c0b2b741c4c..1561ac4ab02 100644 --- a/packages/@okta/vuepress-site/docs/guides/create-an-app-integration/main/scim/protocol-config.md +++ b/packages/@okta/vuepress-site/docs/guides/create-an-app-integration/main/scim/protocol-config.md @@ -1 +1,6 @@ -Create an SSO integration that supports SCIM. See [Add SCIM provisioning to app integrations](https://help.okta.com/okta_help.htm?type=oie&id=ext_Apps_App_Integration_Wizard-scim). \ No newline at end of file +5. Ensure that you have the following integration settings ready: + + Create an SSO integration that supports SCIM. See [Add SCIM provisioning to app integrations](https://help.okta.com/okta_help.htm?type=oie&id=ext_Apps_App_Integration_Wizard-scim). + +6. To build and finalize your implementation settings details, see:[Add SCIM provisioning to app integrations](https://help.okta.com/okta_help.htm?type=oie&id=ext_Apps_App_Integration_Wizard-scim) + diff --git a/packages/@okta/vuepress-site/docs/guides/create-an-app-integration/main/swa/integration.md b/packages/@okta/vuepress-site/docs/guides/create-an-app-integration/main/swa/integration.md deleted file mode 100644 index 452779f04d9..00000000000 --- a/packages/@okta/vuepress-site/docs/guides/create-an-app-integration/main/swa/integration.md +++ /dev/null @@ -1 +0,0 @@ -[Create SWA app integrations](https://help.okta.com/okta_help.htm?type=oie&id=ext_Apps_App_Integration_Wizard-swa) \ No newline at end of file diff --git a/packages/@okta/vuepress-site/docs/guides/create-an-app-integration/main/swa/protocol-config.md b/packages/@okta/vuepress-site/docs/guides/create-an-app-integration/main/swa/protocol-config.md index 0bfcf7b4340..33d380a6811 100644 --- a/packages/@okta/vuepress-site/docs/guides/create-an-app-integration/main/swa/protocol-config.md +++ b/packages/@okta/vuepress-site/docs/guides/create-an-app-integration/main/swa/protocol-config.md @@ -1,3 +1,8 @@ -* App name -* App’s login page URL -* Credential settings \ No newline at end of file +5. Ensure that you have the following integration settings ready: + + * App name + * App’s login page URL + * Credential settings + +6. To build and finalize your implementation settings details, see: [Create SWA app integrations](https://help.okta.com/okta_help.htm?type=oie&id=ext_Apps_App_Integration_Wizard-swa) + diff --git a/packages/@okta/vuepress-site/docs/guides/custom-url-domain/main/index.md b/packages/@okta/vuepress-site/docs/guides/custom-url-domain/main/index.md index 88b536b0d01..a5f461c5dcc 100644 --- a/packages/@okta/vuepress-site/docs/guides/custom-url-domain/main/index.md +++ b/packages/@okta/vuepress-site/docs/guides/custom-url-domain/main/index.md @@ -110,7 +110,7 @@ The third generation of the Okta Sign-In Widget doesn’t guarantee the stabilit * Okta supports 2048, 3072, and 4096-bit keys for the private key that you upload. However, your certificate chain can use keys of any size. -* If you configure any SAML or WS-Fed integrated apps in your org, review the setup instructions for [SAML SSO](/docs/guides/build-sso-integration/saml2/main/) or [WS-Fed SSO](https://help.okta.com/okta_help.htm?id=ext_Apps_Configuring_WS_Federation). Update those SAML or WS-Fed Service Provider integrations to use the new custom URL in the metadata. Your customers then see the new custom domain rather than the Okta org domain. +* If you configure any SAML or WS-Fed integrated apps in your org, review the setup instructions for [SAML SSO](/docs/guides/create-an-app-integration/saml2/main/) or [WS-Fed SSO](https://help.okta.com/okta_help.htm?id=ext_Apps_Configuring_WS_Federation). Update those SAML or WS-Fed Service Provider integrations to use the new custom URL in the metadata. Your customers then see the new custom domain rather than the Okta org domain. * If you sign a user in with your new custom domain, they may need to sign in more than once. If your user tries to SSO into previous OIDC integrations that are made with the org domain, they're prompted to sign in again. To avoid this, you need to change the issuer in these integrations to your custom URL in both the Okta dashboard and your codebase. diff --git a/packages/@okta/vuepress-site/docs/guides/index.md b/packages/@okta/vuepress-site/docs/guides/index.md index c7dbaf7e7d8..11a9f99008c 100644 --- a/packages/@okta/vuepress-site/docs/guides/index.md +++ b/packages/@okta/vuepress-site/docs/guides/index.md @@ -90,13 +90,11 @@ guides: - secure-hooks - single-logout - signup-oktahosted - - build-sso-integration - custom-sms-messaging - submit-app - submit-app-prereq - submit-oin-app - update-oin-app - - add-private-app - deployment-checklist - deploy-your-app - dpop @@ -297,7 +295,7 @@ You can publish your integration in the Okta Integration Network (OIN) catalog t If you're creating an Okta integration for the first time, Okta recommends the following sequence of guides: 1. [OIN landing](/docs/guides/okta-integration-network/) -1. [Overview of Single Sign-On in the OIN](/docs/guides/oin-sso-overview/) +1. [What is Single Sign-On (SSO)?](/docs/concepts/sso-overview/) 1. [Overview of lifecycle management in the OIN](/docs/guides/oin-lifecycle-mgmt-overview/) 1. [Overview of API service apps in the OIN](/docs/guides/oin-api-service-overview/) 1. [OIN submission requirements](/docs/guides/submit-app-prereq/) diff --git a/packages/@okta/vuepress-site/docs/guides/oin-sso-overview/index.md b/packages/@okta/vuepress-site/docs/guides/oin-sso-overview/index.md deleted file mode 100644 index e5cbf6f92b7..00000000000 --- a/packages/@okta/vuepress-site/docs/guides/oin-sso-overview/index.md +++ /dev/null @@ -1,108 +0,0 @@ ---- -title: Overview of Single Sign-On in the OIN -meta: - - name: description - content: Provides a high level overview of Single Sign-On app integrations for the Okta Integration Network. ---- - -The Okta Integration Network (OIN) is a collection of over 7000 pre-built app integrations to connect and exchange secure authentication between users, devices, and apps. Customers can easily integrate Okta Single Sign-On (SSO) to apps with a guided experience that still supports the most secure configuration options. - -To get your app integration into the OIN: - -1. [Build an app integration](/docs/guides/build-sso-integration/) using a free [Okta Integrator Free Plan org](https://developer.okta.com/signup/) and any of the wide array of [languages and libraries](/code/) supported by Okta. -1. [Submit your app](/docs/guides/submit-app-overview/) integration for verification and approval by the Okta OIN team. - -Your integration is available in the OIN for the Okta community to use after Okta validates and publishes your app integration. - -After your customer adds your SSO app integration to their Okta org, their workforce can use their company-issued Okta credentials to securely access your app. In addition to email-password credentials, your customers can control their authentication experience with Okta sign-on policies and features. See the [Multifactor Authentication](https://help.okta.com/okta_help.htm?id=ext_MFA) and [Okta FastPass](https://help.okta.com/okta_help.htm?type=oie&id=ext-fp-enable) features. - -## Why build an SSO integration with Okta? - -|   |   | -| ------ | ------ | -| **Enhance security** | Integrating with Okta allows your customers to manage password strength and configure access policies for your apps. For example, they may require employees to use multifactor authentication (such as a push notification to their phone or SMS) to access your apps from an unknown device. | -| **Deliver a strong end user access experience** | Take away all the friction of managing usernames and passwords. After users authenticate through Okta, they can access your apps with a single click. | -| **Enterprise ready** | Your customers have a growing set of compliance needs that are continuously evolving. An Okta app integration helps you meet compliance and audit requirements and shortens sales cycles. | -| **Ease of adoption** | Your customers can add SSO to your OIN-published app integration with minimal effort. They use Okta to add and configure your app integration into their identity ecosystem without extensive support from your customer service resources. Their workforce can access your app within hours of configuring the integration and policies. | - -## Choose your SSO protocol - -Okta supports two protocols for handling federated SSO: OpenID Connect (OIDC) and Security Assertion Markup Language (SAML). The SSO protocol that you choose to implement your app integration with is based on your app and use case. For new app integrations, OIDC is recommended. - -|   | ![OIDC](/img/idp-logos/oidc.png) OIDC | ![SAML](/img/idp-logos/saml.png) SAML | -| ------ | :------------------- | :----------------------- | -| **Description** | [OpenID Connect](/docs/concepts/oauth-openid/#openid-connect) extends OAuth 2.0 to provide an ID token that can be used to verify a user’s identity and sign them in to a cloud-based app. It's quickly becoming the new standard for SSO. | [Security Assertion Markup Language (SAML)](/docs/concepts/saml) is a traditional enterprise protocol for SSO in web apps. Okta supports SAML 2.0. | -| **Benefits** |
  • A newer protocol with widespread and growing use
  • Best Okta customer configuration experience
  • Ideal for mobile and cloud apps
|
  • Many people are familiar with SAML because it's an older protocol
  • Widely used federation protocol for SSO in web apps
  • Many SaaS providers support SAML integration to grant SSO access to end users
| -| **Technology** |
  • An identity layer on top of the [OAuth 2.0](https://oauth.net/2/) protocol
  • Verifies end user identity and obtains profile information
  • Lightweight and REST-based
|
  • XML-based messages
  • The specification doesn’t have user consent, although it can be built into the flow
| -| **Resources** |
  • [OpenID Connect Foundation](https://openid.net/connect/)
|
  • [SAML 2.0 Technical Overview](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html)
| -| **Get started** |
  • [Build an Okta SSO integration with OIDC](/docs/guides/build-sso-integration/openidconnect/main/)
|
  • [Build an Okta SSO integration with SAML](/docs/guides/build-sso-integration/saml2/main/)
| - -> **Note:** For specific OIDC and SAML protocol features not supported in the OIN, see [OIN submission limitations](/docs/guides/submit-app-prereq/main/#oin-limitations). - -### Okta organization and multi-tenancy - -In a typical scenario, your app relies on Okta to act as a multi-tenant Identity Provider (IdP) for your customers' Okta orgs. An [Okta org](/docs/concepts/okta-organizations/) acts as a container that sets hard boundaries for all users, apps, and other entities that are associated with a single customer. This provides tenant-based isolation. In developing your SSO app integration, the customer’s Okta org serves as the authorization server (OIDC) or as the IdP (SAML). - -#### Tenants in Okta - -Within Okta, the concept of a tenant is instantiated as an Okta org. The org is the home for all user identity and access management, such as user store, handling connections, and mapping profile information. Your Okta org is used to authenticate your users for your apps. - -In Google Cloud products, the user identity is globally unique across the entire identity namespace through their email address. By contrast, in Okta the unique identity concept is specific to just within the tenant used to authenticate and authorize. Code your app so that it's aware of what tenant is being used to authenticate that user. - -As an example, `alice.doe@example.com` is a registered Okta user in both company 1 and company 2 Okta tenants, accessed at `https://company1.okta.com` and `https://company2.okta.com`. Your app aims to provide different services for users that are specific to each tenant. You can't assume that the user information is identical for a given user across both tenants. Your app needs to manage user credentials to identify each unique combination of user and tenant. - -Okta orgs host their interfaces through individual subdomains and each org is assigned a separate URL. The typical org URL is the tenant name (the subdomain) followed by the domain name. However, you can customize the domain name for your own domain and add individual aliases for each of your tenants. - -> **Note:** The process for specifying the variable app instance names in an OIDC app is explained in [Submit an SSO integration with the OIN Wizard: Integration variables](/docs/guides/submit-oin-app/openidconnect/main/#tenant-settings). - -## Use case examples - -### Example of a partner integration journey with Okta - -Erika is an app developer at Acme, a technology partner with Okta. Acme is looking to use the OIN as a way for their customers to adopt and incorporate Acme’s app to the customer’s existing Okta tenant. This allows Acme’s customers to add Acme’s app to their existing identity infrastructure with minimal integration resources. - -Erika performs the following tasks: - -* Builds the Acme-Okta integration, doing the heavy lifting so that their customers don’t have to -* Documents the required configuration steps for the customer admin -* Submits the app integration and corresponding documentation for the Okta OIN team to verify and review - -After approval, Acme’s app is published to the OIN. With a pre-built Acme-Okta integration, Acme avoids the extra support staff required for each individual customer integration. - -### Example of an identity admin journey with Okta - -Ali is an IT admin at Initech. Initech is looking to add Acme's app into their existing Okta identity infrastructure. - -Ali performs the following tasks: - -* Finds the Acme app in the OIN catalog. Since Acme is in the OIN, Ali knows that he can trust Acme to be securely incorporated into their existing Okta-managed SSO with minimal effort. -* Adds the Acme app integration from the Admin Console -* Follows the instructions provided by Acme to configure the app integration -* Configures the Okta app sign-in policy and the group of Initech employees who have access to the Acme app -* Tests signing in to the Acme app with existing Okta credentials to verify the authentication flow - -Initech's group of employees with privileges can sign in to the Acme app with their existing Okta credentials. No additional Acme app registration is required. - -### Example of an enterprise user Single Sign-On journey with Okta - -Ramon is an Initech employee with access to the Acme app. Follow his SSO journey: - -* Ramon starts his work day. In his web browser, he clicks the Okta browser extension and selects his email app, which loads in a new tab. -* Initech has an Okta global session policy, which requires each employee to verify their identity every 12 hours. Since it’s been more than 12 hours since he last worked, Ramon is prompted to enter his Okta username and password. -* Initech has also enabled Okta multifactor authentication. After Ramon successfully entered his credentials, a push notification is sent to the Okta Verify app on his phone. Ramon taps his phone to verify his identity. He can now access his email. -* Next, Ramon goes to his Okta browser extension and selects the Acme app. Since he started a session less than 12 hours ago, he has access to the app without needing to sign in again. Ramon can access all the Okta-integrated apps that he has privileges to without signing in again because he already has an authenticated session with Okta. - -## Next steps - -Ready to get started? Choose how you want to implement your SSO app integration: - - -Build an Okta SSO integration with OIDC - -Build an Okta SSO integration with SAML - -
- -After your app integration is built, [submit the integration](/docs/guides/submit-app-overview/) to the Okta OIN team for verification and publication. - -Want to automate even more for your customers and increase adoption of your product? Learn more about [lifecycle management integration](/docs/guides/oin-lifecycle-mgmt-overview/) in the OIN. diff --git a/packages/@okta/vuepress-site/docs/guides/saml-tracer/main/index.md b/packages/@okta/vuepress-site/docs/guides/saml-tracer/main/index.md index 17cf7057566..d68d7b89357 100644 --- a/packages/@okta/vuepress-site/docs/guides/saml-tracer/main/index.md +++ b/packages/@okta/vuepress-site/docs/guides/saml-tracer/main/index.md @@ -15,7 +15,7 @@ This guide explains how to test a SAML app implementation with the SAML-tracer b #### What you need -A SAML app to test. See [Prepare a SAML integration](/docs/guides/build-sso-integration/saml2/main/#prepare-a-saml-integration). +A SAML app to test. See [Prepare a SAML integration](/docs/guides/create-an-app-integration/saml2/main/#prepare-a-saml-integration). --- @@ -255,4 +255,4 @@ SAML responses are signed and contain the profile attributes of the person who r * [SAML overview](https://developer.okta.com/docs/concepts/saml/) * [SAML FAQ](https://developer.okta.com/docs/concepts/saml/faqs/) -* [Prepare a SAML integration](/docs/guides/build-sso-integration/saml2/main/#prepare-a-saml-integration) +* [Prepare a SAML integration](/docs/guides/create-an-app-integration/saml2/main/#prepare-a-saml-integration) diff --git a/packages/@okta/vuepress-site/docs/guides/scim-provisioning-integration-overview/main/index.md b/packages/@okta/vuepress-site/docs/guides/scim-provisioning-integration-overview/main/index.md index 020969d9d3b..143b04e9bd4 100644 --- a/packages/@okta/vuepress-site/docs/guides/scim-provisioning-integration-overview/main/index.md +++ b/packages/@okta/vuepress-site/docs/guides/scim-provisioning-integration-overview/main/index.md @@ -33,7 +33,7 @@ If you need more detail on the concepts behind lifecycle management with SCIM an While many ISVs have custom APIs for managing user accounts, this guide assumes that you use the [System for Cross-domain Identity Management](https://scim.cloud) (SCIM) protocol. The SCIM protocol is an industry standard that supports all the needed features for lifecycle provisioning. For more technical details on how you can take advantage of the SCIM API with Okta, see our [SCIM Protocol reference](https://developer.okta.com/docs/api/openapi/okta-scim/guides/). -Your Okta integration should use Single Sign-On (SSO) to initiate end user authentication. Learn how to set up your integration with SSO in our [Build a Single Sign-On (SSO) integration](/docs/guides/build-sso-integration/) guide. +Your Okta integration should use Single Sign-On (SSO) to initiate end user authentication. Learn how to set up your integration with SSO in our [Build a Single Sign-On (SSO) integration](/docs/guides/sign-in-overview/main/) guide. ## Guides diff --git a/packages/@okta/vuepress-site/docs/guides/sign-in-overview/main/index.md b/packages/@okta/vuepress-site/docs/guides/sign-in-overview/main/index.md index 3197741df9b..7bfdffb5bb3 100644 --- a/packages/@okta/vuepress-site/docs/guides/sign-in-overview/main/index.md +++ b/packages/@okta/vuepress-site/docs/guides/sign-in-overview/main/index.md @@ -54,4 +54,3 @@ If you’re a Classic Engine customer who wants to upgrade their apps to use Ide * [Add an external identity provider](/docs/guides/identity-providers/) * [Configure an access policy](/docs/guides/configure-access-policy/main/) * [Configure a global session policy and app sign-in policies](/docs/guides/configure-signon-policy/main/) -* [Build a Single Sign-On (SSO) integration](/docs/guides/build-sso-integration/openidconnect/main/) diff --git a/packages/@okta/vuepress-site/docs/guides/submit-app-prereq/main/index.md b/packages/@okta/vuepress-site/docs/guides/submit-app-prereq/main/index.md index b30f469b0ec..9b5f941ba54 100644 --- a/packages/@okta/vuepress-site/docs/guides/submit-app-prereq/main/index.md +++ b/packages/@okta/vuepress-site/docs/guides/submit-app-prereq/main/index.md @@ -45,7 +45,7 @@ Your app integration must support multi-tenancy to be listed in the public OIN c What does this mean? -Multi-tenancy in the OIN refers to the concept that as an ISV, you support several instances of your app. Each app instance has a unique credential system for each of your customers. An instance of an app that contains the infrastructure to support a group of users is considered a tenant. See [Tenants in Okta](/docs/guides/oin-sso-overview/#tenants-in-okta). +Multi-tenancy in the OIN refers to the concept that as an ISV, you support several instances of your app. Each app instance has a unique credential system for each of your customers. An instance of an app that contains the infrastructure to support a group of users is considered a tenant. See [Tenants in Okta](/docs/concepts/multi-tenancy/#tenants-in-okta). Provide a method for each of your customer tenants to uniquely connect to their Okta org. This allows your customers to find your app integration from the OIN catalog in their own Okta org. Then, they can instantiate the app integration with their unique tenant credentials, either with your support or on their own. @@ -67,6 +67,12 @@ The following multi-tenant example assumes that your Okta app integration suppor * Similarly, customer B instantiates your OIDC app integration in their Okta org and obtains their unique client ID and secret. They then sign in to their account on your app platform. They use their client ID, client secret, and Okta domain (for the issuer URL) to enable SSO without any assistance from you. * Each customer enables SSO to your app for their users in a separate credential system with their Okta org. Because you've created a self-service portal that allows your customers to enable SSO by themselves, you save resources and provide autonomy to your customers. +#### Rate limit considerations + +When you construct your SSO app, be aware of the limits on requests to Okta APIs. Okta provides headers in each response to report on both concurrent and org-wide rate limits. To monitor org-wide rate limits, include code in your app to check the relevant headers in the response. + +For information on the rate-limit categories, including which public metadata endpoints aren't subject to rate limits, see the [Rate limits overview](/docs/reference/rate-limits/). For details on response headers, troubleshooting HTTP 429 errors, and requesting a temporary rate limit increase, see [Monitor and troubleshoot rate limits](/docs/reference/rl2-monitor/). + ## OIN Wizard requirements The OIN Wizard is only available in Integrator Free Plan orgs. @@ -78,7 +84,9 @@ To access the OIN Wizard and the **Your OIN Integrations** dashboard in your org * You must have either the super admin or the app and org admin [roles](https://help.okta.com/okta_help.htm?type=oie&id=ext-administrators-admin-comparison) assigned to you. * Use your company domain email as your username for your Okta admin account (submissions from a personal email account aren't reviewed). -> **Note:** The app admin role enables you to view and edit details in the OIN Wizard. For OIN Wizard testing, you must have both the app admin and the org admin roles assigned to you. The super admin role gives you access to all functionality in the OIN Wizard. +> **Notes:** +> The app admin role enables you to view and edit details in the OIN Wizard. For OIN Wizard testing, you must have both the app admin and the org admin roles assigned to you. The super admin role gives you access to all functionality in the OIN Wizard. +> You can't use the Okta SDKs to validate access tokens for apps in the OIN. This is due to the OIN restriction of using an org authorization server and the Authorization Code flow. ### OIN Wizard test requirements @@ -528,9 +536,21 @@ You can't publish integrations with the following Okta features in the OIN catal In addition to the general OIN limitations, the following are limitations specific to OIDC or OAuth 2.0 integrations: -* You can't use a [custom authorization server](/docs/concepts/auth-servers/#custom-authorization-server) that includes the `default` server for an OIDC or API service integration. You can only use the [org authorization server](/docs/concepts/auth-servers/#org-authorization-server). +* When you create your app integration in your Okta org, select **Web Application** as the OIDC app type. + +* Native and mobile app integrations aren't accepted as OIDC app integrations in the OIN unless they use server-side authentication patterns. Set up your app to use an authentication flow that allows your client app to talk to your SaaS backend. Your SaaS backend can then securely communicate with Okta through trusted back-channel connections. See [Implement the authorization code flow](/docs/guides/implement-grant-type/authcode/main/). -* You can't use the Okta SDKs to validate access tokens with the [org authorization server](/docs/concepts/auth-servers/#org-authorization-server). +* The Implicit flow isn't recommended for token exchange in web apps. If your use case requires the use of an Implicit flow for token exchange, contact [Okta Support](https://support.okta.com). + +* You can't use a [custom authorization server](/docs/concepts/auth-servers/#custom-authorization-server) that includes the `default` server for an OIDC or API service integration. You can only use the [org authorization server](/docs/concepts/auth-servers/#org-authorization-server). The following are the various `/authorize` request URLs for the different authorization servers: + + * **custom authorization server**: `https://{customerOktaDomain}/oauth2/{authorizationServerId}/v1/authorize?client_id={clientId}&response_type=code&scope=openid&redirect_uri={redirectURI}&state={state}` + * **default custom authorization server** (`{authorizationServerId}=default`): `https://{customerOktaDomain}/oauth2/default/v1/authorize?client_id={clientId}&response_type=code&scope=openid&redirect_uri={redirectURI}&state={state}` + * **org authorization server**: `https://{customerOktaDomain}/oauth2/v1/authorize?client_id={clientId}&response_type=code&scope=openid&redirect_uri={redirectURI}&state={state}` + + Make sure that you only use the **org authorization server** URL. When you use the org authorization server, the issuer URL is `https://{yourOktaDomain}`. + +* You can't use the Okta SDKs to validate access tokens with the [org authorization server](/docs/concepts/auth-servers/#org-authorization-server). This is due to the OIN restriction of using an org authorization server and the Authorization Code flow. * Refresh tokens aren't supported for SSO OIDC integrations published in the OIN. @@ -556,6 +576,8 @@ In addition to the general OIN limitations, the following are limitations specif * SP-initiated Single Logout (SLO) isn’t supported. +The OIN Wizard doesn't accept new SSO integrations with more than three app instance variables or advanced SAML features. For these new integrations, add a [private SSO integration](/docs/guides/add-private-app/) with the Application Integration Wizard (AIW) in your Okta org instead. + The OIN team maintains existing SAML integrations with advanced features not supported in the OIN Wizard. If you need to update your existing advanced SAML integration, contact the OIN team at . ### SCIM integration limitations diff --git a/packages/@okta/vuepress-site/docs/guides/submit-oin-app/main/openidconnect/protocol-supported.md b/packages/@okta/vuepress-site/docs/guides/submit-oin-app/main/openidconnect/protocol-supported.md index de16ba3806b..0d8286e25f7 100644 --- a/packages/@okta/vuepress-site/docs/guides/submit-oin-app/main/openidconnect/protocol-supported.md +++ b/packages/@okta/vuepress-site/docs/guides/submit-oin-app/main/openidconnect/protocol-supported.md @@ -12,6 +12,8 @@ This guide covers submissions that use the following protocols and integrations: * [Universal Logout](/docs/guides/oin-universal-logout-overview/) +See [Choose your SSO protocol](/docs/concepts/sso-overview/#choose-your-sso-protocol) for help choosing the right protocol for your app integration. + > **Notes:** > * Universal Logout integrations are only supported for the SAML 2.0 and OIDC protocols. If you want to submit a Universal Logout integration with SCIM provisioning, you must also submit an SSO integration with either SAML 2.0 or OIDC. > * Entitlement Management is supported for integrations that manage entitlements through a SCIM server. diff --git a/packages/@okta/vuepress-site/docs/guides/submit-oin-app/main/openidconnect/what-need.md b/packages/@okta/vuepress-site/docs/guides/submit-oin-app/main/openidconnect/what-need.md index 37828ef0352..67f8eba634f 100644 --- a/packages/@okta/vuepress-site/docs/guides/submit-oin-app/main/openidconnect/what-need.md +++ b/packages/@okta/vuepress-site/docs/guides/submit-oin-app/main/openidconnect/what-need.md @@ -1,3 +1,3 @@ -* A functional integration that's based on the [Build a Single Sign-On integration](/docs/guides/build-sso-integration/) or [Build a SCIM provisioning integration](/docs/guides/scim-provisioning-integration-overview/main/) guide +* A functional integration that's based on the [Sign users in overview](/docs/guides/sign-in-overview/main/) * Google Chrome browser with the Okta Browser Plugin installed (see [OIN Wizard requirements](/docs/guides/submit-app-prereq/main/#oin-wizard-requirements)) \ No newline at end of file diff --git a/packages/@okta/vuepress-site/docs/guides/submit-oin-app/main/saml2/what-need.md b/packages/@okta/vuepress-site/docs/guides/submit-oin-app/main/saml2/what-need.md index 37828ef0352..67f8eba634f 100644 --- a/packages/@okta/vuepress-site/docs/guides/submit-oin-app/main/saml2/what-need.md +++ b/packages/@okta/vuepress-site/docs/guides/submit-oin-app/main/saml2/what-need.md @@ -1,3 +1,3 @@ -* A functional integration that's based on the [Build a Single Sign-On integration](/docs/guides/build-sso-integration/) or [Build a SCIM provisioning integration](/docs/guides/scim-provisioning-integration-overview/main/) guide +* A functional integration that's based on the [Sign users in overview](/docs/guides/sign-in-overview/main/) * Google Chrome browser with the Okta Browser Plugin installed (see [OIN Wizard requirements](/docs/guides/submit-app-prereq/main/#oin-wizard-requirements)) \ No newline at end of file diff --git a/packages/@okta/vuepress-site/docs/guides/submit-oin-app/main/scim/what-need.md b/packages/@okta/vuepress-site/docs/guides/submit-oin-app/main/scim/what-need.md index a42ab223e93..53bcd171dc6 100644 --- a/packages/@okta/vuepress-site/docs/guides/submit-oin-app/main/scim/what-need.md +++ b/packages/@okta/vuepress-site/docs/guides/submit-oin-app/main/scim/what-need.md @@ -1,3 +1,3 @@ * Google Chrome browser with the Okta Browser Plugin installed (see [OIN Wizard requirements](/docs/guides/submit-app-prereq/main/#oin-wizard-requirements)) -* A functional integration that's based on the [Build a SCIM provisioning integration](/docs/guides/scim-provisioning-integration-overview/main/) and the [Build a Single Sign-On integration](/docs/guides/build-sso-integration/) guide \ No newline at end of file +* A functional integration that's based on the [Build a SCIM provisioning integration](/docs/guides/scim-provisioning-integration-overview/main/) and the [Sign users in overview](/docs/guides/sign-in-overview/main/) guide. \ No newline at end of file diff --git a/packages/@okta/vuepress-site/docs/guides/updating-saml-cert/main/index.md b/packages/@okta/vuepress-site/docs/guides/updating-saml-cert/main/index.md index 941ab624a98..a6a944b7604 100644 --- a/packages/@okta/vuepress-site/docs/guides/updating-saml-cert/main/index.md +++ b/packages/@okta/vuepress-site/docs/guides/updating-saml-cert/main/index.md @@ -15,7 +15,7 @@ Upgrade Okta SAML apps from using SHA1 certificates to more secure SHA256 certif #### What you need -A SAML app to upgrade. See [Building a SAML SSO integration](/docs/guides/build-sso-integration/saml2/main/#prepare-your-integration). +A SAML app to upgrade. See [Building a SAML SSO integration](/docs/guides/create-an-app-integration/saml2/main/#prepare-your-integration). --- @@ -300,4 +300,4 @@ Response: * [SAML overview](https://developer.okta.com/docs/concepts/saml/) * [SAML FAQ](https://developer.okta.com/docs/concepts/saml/faqs/) -* [Building a SAML SSO integration](https://developer.okta.com/docs/guides/build-sso-integration/saml2/before-you-begin/) +* [Building a SAML SSO integration](https://developer.okta.com/docs/guides/create-an-app-integration/saml2/main/) diff --git a/packages/@okta/vuepress-site/docs/reference/org-defaults/index.md b/packages/@okta/vuepress-site/docs/reference/org-defaults/index.md index 7d207d1de5a..9216492db0c 100644 --- a/packages/@okta/vuepress-site/docs/reference/org-defaults/index.md +++ b/packages/@okta/vuepress-site/docs/reference/org-defaults/index.md @@ -24,7 +24,7 @@ The Integrator Free Plan org is provisioned with the features in the following t | Feature | Description | |---------------------------------------------|------------------------------------------------| -| SSO (Single Sign-On) | Provides capabilities to incorporate SSO authentication for your users. See [Build a Single Sign-On (SSO) Integration](/docs/guides/build-sso-integration/-/main/). | +| SSO (Single Sign-On) | Provides capabilities to incorporate SSO authentication for your users. See [Build a Single Sign-On (SSO) Integration](/docs/guides/sign-in-overview/main/). | | UD (Universal Directory) | Stores and manages your user information. See [What is the Okta Universal Directory](/docs/concepts/user-profiles/#what-is-the-okta-universal-directory). | | AMFA (Adaptive Multifactor Authentication) | Provides capabilities to implement authentication based on risk. See [Authentication factors](/docs/concepts/iam-overview-authentication-factors/). | | LCM (Lifecycle Management) | Manages the process of access to apps and resources over the lifecycle of a user. See [Overview of lifecycle management in the OIN](/docs/guides/oin-lifecycle-mgmt-overview/). | diff --git a/packages/@okta/vuepress-site/docs/reference/rate-limits/index.md b/packages/@okta/vuepress-site/docs/reference/rate-limits/index.md index 545dfe7cd62..26a98080d61 100644 --- a/packages/@okta/vuepress-site/docs/reference/rate-limits/index.md +++ b/packages/@okta/vuepress-site/docs/reference/rate-limits/index.md @@ -31,6 +31,12 @@ Buckets scoped to authenticated users are independent and not nested under any o A bucket’s quota can vary based on several factors, including—but not limited to—the type of service subscription (for example, Workforce versus Customer Identity), the HTTP method used (for example, GET versus POST), the number of licenses purchased, and any applicable add-ons, such as DynamicScale. If the quota is exceeded within the time window, further requests are rejected with an HTTP 429 Too Many Requests response until the quota resets. You can monitor rate limit usage through the rate limit dashboard, System Log, or by inspecting the rate limiting headers included in API responses. See [Monitor and troubleshoot rate limits](/docs/reference/rl2-monitor/). +>**Note:** The following public metadata endpoints aren't subject to rate limits: +> +>* `/oauth2/v1/keys` +>* `/.well-known/openid-configuration` +>* `/.well-known/oauth-authorization-server` + ## How rate limiting works The logic behind the Okta implementation of rate limits can be summarized in the following steps: diff --git a/packages/@okta/vuepress-site/docs/reference/rl2-monitor/index.md b/packages/@okta/vuepress-site/docs/reference/rl2-monitor/index.md index a4e9082cfc4..4b1ac33bc7d 100644 --- a/packages/@okta/vuepress-site/docs/reference/rl2-monitor/index.md +++ b/packages/@okta/vuepress-site/docs/reference/rl2-monitor/index.md @@ -66,7 +66,7 @@ The **Overview** tab is your monitoring hub. Use it to scan for issues or drill * Top offenders: A bar graph shows the top five APIs with the most rate limit events. * Rate Limit Buckets table: Each bucket is listed with current rate limits (including overrides and multipliers), recent events, and a usage trend line for the last hour. -You can hover to reveal detailed data points, click on a rate limit bucket to see deeper metrics and historical usage, or filter by time period, multiplier status, or event type. +You can hover to reveal detailed data points, select a rate limit bucket to see deeper metrics and historical usage, or filter by time period, multiplier status, or event type.
@@ -76,7 +76,7 @@ You can hover to reveal detailed data points, click on a rate limit bucket to se ### Events graph -The event count graph plots the number of violations, bursts, and warnings over the selected time period, which can be the last 24 hours, the last seven days, last month, or the last three months. The events by API bar graph shows the top five number of events by API over the same time period. +The event count graph plots the number of violations, bursts, and warnings over the selected time period, which can be the last 24 hours, the last seven days, last month, or the last three months. The `events by API` bar graph shows the top five number of events by API over the same time period.
@@ -195,6 +195,16 @@ Okta provides several tools to give you real-time visibility into your rate limi
+For concurrent rate limits, these headers behave a little differently: + +* When the number of unfinished requests is below the concurrent rate limit, request headers only report org-wide rate limits. +* After you exceed a concurrent rate limit, the headers report that the limit has been exceeded. +* When you drop back down below the concurrent rate limit, the headers switch back to reporting the time-based rate limits. +* The first two header values are always `0` for concurrent rate limit errors. The third header reports an estimated time interval when the concurrent rate limit may be resolved. +* The `X-Rate-Limit-Reset` time for concurrent rate limits is only a suggested value. There's no guarantee that enough requests can complete for the requests to go below the concurrent rate limit at the time indicated. + +The error condition resolves itself when there's another concurrent thread available. Normally no intervention is required. You may be exceeding the concurrent rate limit if you notice frequent bursts of HTTP 429 errors. Examine the activities in the log before the burst of HTTP 429 errors appeared. If you can't identify what is causing you to exceed the limit, contact [Okta Support](https://support.okta.com). + ### Identify the source Check the rate limit dashboard for more information: @@ -223,6 +233,8 @@ Each event includes the endpoint (`requestURI`), the actor, thresholds, and actu After you have confirmed 429 errors and understand the root cause, you can employ a few strategies. +If you anticipate a large number of requests over a specified time period, you can request a temporary rate limit increase. Contact [Okta Support](https://support.okta.com) to open a ticket to permit the exception. See [How to Request a Temporary Rate Limit Increase](https://support.okta.com/help/s/article/How-can-we-request-to-have-the-rate-limit-for-our-org-temporarily-increased?language=en_US). + | Root cause | Description | Strategies to fix | |------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Intended high usage | A planned business event, such as an e-commerce product launch or a workforce app rollout, generates a legitimate, high-volume surge of user traffic that exceeds default limits | • Implement throttle logic and retries with backoff. The Okta SDK has a configuration library available for this use case.
• Purchase DynamicScale to permanently increase rate limits.
• Request a rate limit increase. | diff --git a/packages/@okta/vuepress-site/docs/release-notes/2021/index.md b/packages/@okta/vuepress-site/docs/release-notes/2021/index.md index 7242c5bfb74..87faa96ea64 100644 --- a/packages/@okta/vuepress-site/docs/release-notes/2021/index.md +++ b/packages/@okta/vuepress-site/docs/release-notes/2021/index.md @@ -267,7 +267,7 @@ The `audience` parameter of the `/authn` [endpoint](/docs/reference/api/authn/#p #### SAML assertion preview populates with real data -After a developer creates a SAML App integration in the Okta Admin Console, the preview of a generated SAML assertion now uses real data instead of mock data. See [Create a SAML integration](/docs/guides/build-sso-integration/saml2/main/#create-a-saml-integration). +After a developer creates a SAML App integration in the Okta Admin Console, the preview of a generated SAML assertion now uses real data instead of mock data. See [Create a SAML integration](/docs/guides/create-an-app-integration/saml2/main/#create-a-saml-integration). #### Dynamic Issuer Mode is EA in Preview diff --git a/packages/@okta/vuepress-site/docs/release-notes/2023-okta-identity-engine/index.md b/packages/@okta/vuepress-site/docs/release-notes/2023-okta-identity-engine/index.md index 14bc196be53..2d7f5dcd7f8 100644 --- a/packages/@okta/vuepress-site/docs/release-notes/2023-okta-identity-engine/index.md +++ b/packages/@okta/vuepress-site/docs/release-notes/2023-okta-identity-engine/index.md @@ -394,7 +394,7 @@ Okta ThreatInsight coverage is now available for core Okta API endpoints ([OIDC #### Developer documentation update in 2023.07.0 -The guides within the Primer for OIN OpenID Connect section have been removed. Content for OIDC protocol requirements, multi-tenancy, and best practices have been updated and merged to the [Overview of Single Sign-On in the OIN](/docs/guides/oin-sso-overview/) and [Build an SSO integration](/docs/guides/build-sso-integration/openidconnect/main/) guides. +The guides within the Primer for OIN OpenID Connect section have been removed. Content for OIDC protocol requirements, multi-tenancy, and best practices have been updated and merged to the [Overview of Single Sign-On in the OIN](/docs/guides/oin-sso-overview/) and [Sign users in overview](/guides/sign-in-overview/main/) guides. #### Bugs fixed in 2023.07.0 diff --git a/packages/@okta/vuepress-site/docs/release-notes/2023/index.md b/packages/@okta/vuepress-site/docs/release-notes/2023/index.md index 5e61fbab23c..00f55f861e0 100644 --- a/packages/@okta/vuepress-site/docs/release-notes/2023/index.md +++ b/packages/@okta/vuepress-site/docs/release-notes/2023/index.md @@ -274,7 +274,7 @@ Okta ThreatInsight coverage is now available for core Okta API endpoints ([OIDC #### Developer documentation update in 2023.07.0 -The guides within the Primer for OIN OpenID Connect section have been removed. Content for OIDC protocol requirements, multi-tenancy, and best practices have been updated and merged to the [Overview of Single Sign-On in the OIN](/docs/guides/oin-sso-overview/) and [Build an SSO integration](/docs/guides/build-sso-integration/openidconnect/main/) guides. +The guides within the Primer for OIN OpenID Connect section have been removed. Content for OIDC protocol requirements, multi-tenancy, and best practices have been updated and merged to the [Overview of Single Sign-On in the OIN](/docs/guides/oin-sso-overview/) and [Sign users in overview](/docs/guides/create-an-app-integration/openidconnect/main/) guides. #### Bug fixed in 2023.07.0 diff --git a/packages/@okta/vuepress-site/docs/release-notes/2025-okta-identity-engine/index.md b/packages/@okta/vuepress-site/docs/release-notes/2025-okta-identity-engine/index.md index 3e5a0d794a9..1116887faec 100644 --- a/packages/@okta/vuepress-site/docs/release-notes/2025-okta-identity-engine/index.md +++ b/packages/@okta/vuepress-site/docs/release-notes/2025-okta-identity-engine/index.md @@ -842,7 +842,7 @@ Universal Logout (UL) in the Okta Integration Network Wizard allows you to build #### Web app integrations now mandate the use of the Authorization Code flow -To enhance security, web app integrations now mandate the use of the Authorization Code flow, as the Implicit flow is no longer recommended. See [Build a Single Sign-On (SSO) integration](https://developer.okta.com/docs/guides/build-sso-integration/openidconnect/main/#determine-the-oauth-2-0-flow-to-use). +To enhance security, web app integrations now mandate the use of the Authorization Code flow, as the Implicit flow is no longer recommended. See [OAuth 2.0 and OpenID Connect overview](https://developer.okta.com/docs/concepts/oauth-openid/). #### Developer documentation updates in 2025.08.0 diff --git a/packages/@okta/vuepress-site/docs/release-notes/2025/index.md b/packages/@okta/vuepress-site/docs/release-notes/2025/index.md index e60a94cf4b5..58457f3222c 100644 --- a/packages/@okta/vuepress-site/docs/release-notes/2025/index.md +++ b/packages/@okta/vuepress-site/docs/release-notes/2025/index.md @@ -453,7 +453,7 @@ Unified claims generation is a new streamlined interface for managing claims (OI #### Web app integrations now mandate the use of the Authorization Code flow -To enhance security, web app integrations now mandate the use of the Authorization Code flow, as the Implicit flow is no longer recommended. See [Build a Single Sign-On (SSO) integration](https://developer.okta.com/docs/guides/build-sso-integration/openidconnect/main/#determine-the-oauth-2-0-flow-to-use). +To enhance security, web app integrations now mandate the use of the Authorization Code flow, as the Implicit flow is no longer recommended. See [OAuth 2.0 and OpenID Connect overview](https://developer.okta.com/docs/concepts/oauth-openid/). #### Developer documentation updates in 2025.08.0 diff --git a/packages/@okta/vuepress-site/okta-integration-network/index.md b/packages/@okta/vuepress-site/okta-integration-network/index.md index 5c0992eddd1..77311d04b91 100644 --- a/packages/@okta/vuepress-site/okta-integration-network/index.md +++ b/packages/@okta/vuepress-site/okta-integration-network/index.md @@ -15,7 +15,7 @@ guides: url: /docs/concepts/saml - text: What is OIDC? url: https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth - docsUrl: /docs/guides/build-sso-integration/ + docsUrl: /docs/guides/sign-in-overview/main - name: Automate Provisioning icon: /img/icons/icon--lock.svg description: Synchronize user identities using SCIM diff --git a/packages/@okta/vuepress-theme-prose/const/navbar.const.js b/packages/@okta/vuepress-theme-prose/const/navbar.const.js index 87332eedcdc..3e9510520cd 100644 --- a/packages/@okta/vuepress-theme-prose/const/navbar.const.js +++ b/packages/@okta/vuepress-theme-prose/const/navbar.const.js @@ -754,20 +754,6 @@ export const guides = [ title: "Okta Integration Network", customLandingPage: true, subLinks: [ - { - title: "Single Sign-On", - path: "/docs/guides/oin-sso-overview/", - subLinks: [ - { - title: "Build an SSO integration", - guideName: "build-sso-integration", - }, - { - title: "Add a private SSO integration", - guideName: "add-private-app", - }, - ], - }, { title: "Lifecycle management", path: "/docs/guides/oin-lifecycle-mgmt-overview/", diff --git a/packages/@okta/vuepress-theme-prose/custom-landings/OktaIntegrationNetwork/components/Explore.vue b/packages/@okta/vuepress-theme-prose/custom-landings/OktaIntegrationNetwork/components/Explore.vue index e02617edc72..f2aaf61be77 100644 --- a/packages/@okta/vuepress-theme-prose/custom-landings/OktaIntegrationNetwork/components/Explore.vue +++ b/packages/@okta/vuepress-theme-prose/custom-landings/OktaIntegrationNetwork/components/Explore.vue @@ -56,7 +56,7 @@ caption: 'Design & build', text: 'OIN is a catalog and a support system. View SSO, lifecycle, and service app integration guides to help you to design, build, and test your integration before you submit it for verification. Get support from the Okta Developer Forum during your build journey.', link: 'Start with SSO', - path: '/docs/guides/oin-sso-overview/' + path: '/docs/concepts/sso-overview/' }, { id: 3, diff --git a/packages/@okta/vuepress-theme-prose/custom-landings/OktaIntegrationNetwork/components/Features.vue b/packages/@okta/vuepress-theme-prose/custom-landings/OktaIntegrationNetwork/components/Features.vue index b86de6e29bc..b68443dd2e7 100644 --- a/packages/@okta/vuepress-theme-prose/custom-landings/OktaIntegrationNetwork/components/Features.vue +++ b/packages/@okta/vuepress-theme-prose/custom-landings/OktaIntegrationNetwork/components/Features.vue @@ -102,7 +102,7 @@ id: 1, title: 'Enable Single Sign-On', text: 'Let users securely sign in to your app with their credentials.', - link: '/docs/guides/oin-sso-overview/', + link: '/docs/concepts/sso-overview/', linkText: 'Get started with Single Sign-On', list: [ 'Streamline the sign-in flow',