From cf1c7c8a1fe264630812390bc4040fbd2014dcf8 Mon Sep 17 00:00:00 2001 From: Janu Geethakumari Date: Thu, 21 May 2026 16:43:00 -0400 Subject: [PATCH 1/9] Add refactoring updates --- .../vuepress-site/docs/guides/submit-app-prereq/main/index.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/packages/@okta/vuepress-site/docs/guides/submit-app-prereq/main/index.md b/packages/@okta/vuepress-site/docs/guides/submit-app-prereq/main/index.md index bec72951f5d..75b4880e42d 100644 --- a/packages/@okta/vuepress-site/docs/guides/submit-app-prereq/main/index.md +++ b/packages/@okta/vuepress-site/docs/guides/submit-app-prereq/main/index.md @@ -78,7 +78,9 @@ To access the OIN Wizard and the **Your OIN Integrations** dashboard in your org * You must have either the super admin or the app and org admin [roles](https://help.okta.com/okta_help.htm?type=oie&id=ext-administrators-admin-comparison) assigned to you. * Use your company domain email as your username for your Okta admin account (submissions from a personal email account aren't reviewed). -> **Note:** The app admin role enables you to view and edit details in the OIN Wizard. For OIN Wizard testing, you must have both the app admin and the org admin roles assigned to you. The super admin role gives you access to all functionality in the OIN Wizard. +> **Notes:** +> The app admin role enables you to view and edit details in the OIN Wizard. For OIN Wizard testing, you must have both the app admin and the org admin roles assigned to you. The super admin role gives you access to all functionality in the OIN Wizard. +> You can't use the Okta SDKs to validate access tokens for apps in the OIN. This is due to the OIN restriction of using an org authorization server and the Authorization Code flow. ### OIN Wizard test requirements From 1806b3a444808f1932c941425c6d064c64c06e42 Mon Sep 17 00:00:00 2001 From: Janu Geethakumari Date: Fri, 22 May 2026 21:00:54 -0400 Subject: [PATCH 2/9] Refactor task --- .../docs/concepts/oauth-openid/index.md | 2 ++ .../docs/guides/submit-app-prereq/main/index.md | 14 +++++++++++++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/packages/@okta/vuepress-site/docs/concepts/oauth-openid/index.md b/packages/@okta/vuepress-site/docs/concepts/oauth-openid/index.md index ce1bcfeac08..b802f55998f 100644 --- a/packages/@okta/vuepress-site/docs/concepts/oauth-openid/index.md +++ b/packages/@okta/vuepress-site/docs/concepts/oauth-openid/index.md @@ -94,6 +94,8 @@ The following table shows you which OAuth 2.0 flow to use for the type of app th > **Note**: There's also an OAuth 2.0 [SAML 2.0 Assertion flow](#saml-2-0-assertion-flow). This flow is intended for client apps that want to use an existing trust relationship without a direct user approval step at the authorization server. It supports access and ID tokens. +> **Note:** If you're building an integration for the [Okta Integration Network (OIN)](https://www.okta.com/integrations/), additional restrictions apply to your flow choice and authorization server. See [OIDC/OAuth 2.0 integration limitations](/docs/guides/submit-app-prereq/main/#oidc-oauth-2-0-integration-limitations). + ### What kind of client are you building? The type of OAuth 2.0 flow depends on what kind of client that you're building. This flowchart can quickly help you decide which flow to use. diff --git a/packages/@okta/vuepress-site/docs/guides/submit-app-prereq/main/index.md b/packages/@okta/vuepress-site/docs/guides/submit-app-prereq/main/index.md index 75b4880e42d..e4f8b04b756 100644 --- a/packages/@okta/vuepress-site/docs/guides/submit-app-prereq/main/index.md +++ b/packages/@okta/vuepress-site/docs/guides/submit-app-prereq/main/index.md @@ -530,7 +530,19 @@ You can't publish integrations with the following Okta features in the OIN catal In addition to the general OIN limitations, the following are limitations specific to OIDC or OAuth 2.0 integrations: -* You can't use a [custom authorization server](/docs/concepts/auth-servers/#custom-authorization-server) that includes the `default` server for an OIDC or API service integration. You can only use the [org authorization server](/docs/concepts/auth-servers/#org-authorization-server). +* When you create your app integration in your Okta org, select **Web Application** as the OIDC app type. + +* Native and mobile app integrations aren't accepted as OIDC app integrations in the OIN unless they use server-side authentication patterns. Set up your app to use an authentication flow that allows your client app to talk to your SaaS backend. Your SaaS backend can then securely communicate with Okta through trusted back-channel connections. See [Implement the authorization code flow](/docs/guides/implement-grant-type/authcode/main/). + +* The Implicit flow isn't recommended for token exchange in web apps. If your use case requires the use of an Implicit flow for token exchange, contact [Okta Support](https://support.okta.com). + +* You can't use a [custom authorization server](/docs/concepts/auth-servers/#custom-authorization-server) that includes the `default` server for an OIDC or API service integration. You can only use the [org authorization server](/docs/concepts/auth-servers/#org-authorization-server). The following are the various `/authorize` request URLs for the different authorization servers: + + * **custom authorization server**: `https://{customerOktaDomain}/oauth2/{authorizationServerId}/v1/authorize?client_id={clientId}&response_type=code&scope=openid&redirect_uri={redirectURI}&state={state}` + * **default custom authorization server** (`{authorizationServerId}=default`): `https://{customerOktaDomain}/oauth2/default/v1/authorize?client_id={clientId}&response_type=code&scope=openid&redirect_uri={redirectURI}&state={state}` + * **org authorization server**: `https://{customerOktaDomain}/oauth2/v1/authorize?client_id={clientId}&response_type=code&scope=openid&redirect_uri={redirectURI}&state={state}` + + Make sure that you only use the **org authorization server** URL. When you use the org authorization server, the issuer URL is `https://{yourOktaDomain}`. * You can't use the Okta SDKs to validate access tokens with the [org authorization server](/docs/concepts/auth-servers/#org-authorization-server). From 5b0daa575d50af604c1decc227e72e7087a7fffa Mon Sep 17 00:00:00 2001 From: Janu Geethakumari Date: Sun, 24 May 2026 20:48:30 -0400 Subject: [PATCH 3/9] Add updates --- .../docs/concepts/oauth-claims/index.md | 10 +++++++--- .../docs/guides/submit-app-prereq/main/index.md | 10 +++++++++- .../docs/reference/rate-limits/index.md | 6 ++++++ .../docs/reference/rl2-monitor/index.md | 12 ++++++++++++ 4 files changed, 34 insertions(+), 4 deletions(-) diff --git a/packages/@okta/vuepress-site/docs/concepts/oauth-claims/index.md b/packages/@okta/vuepress-site/docs/concepts/oauth-claims/index.md index c960624b195..0010fd10409 100644 --- a/packages/@okta/vuepress-site/docs/concepts/oauth-claims/index.md +++ b/packages/@okta/vuepress-site/docs/concepts/oauth-claims/index.md @@ -1,11 +1,11 @@ --- -title: OAuth 2.0 and OpenID Connect claims +title: OAuth 2.0 claims and scopes meta: - name: description - content: A high-level overview of OAuth 2.0 and OpenID Connect claims. + content: A high-level overview of OAuth 2.0 claims and scopes. --- -# Learn about OAuth 2.0 and OpenID Connect claims +# Learn about OAuth 2.0 claims and scopes [OAuth 2.0 and OpenID Connect (OIDC)](/docs/concepts/oauth-openid) claims are key-value pairs of data that contain information, typically information about a user. Okta uses these claims to provide context about the user and their permissions. @@ -27,6 +27,10 @@ During the authorization flow, an app requests specific scopes. The resulting ac You can use claims for fine-grained permissions and information to enhance the security of your apps. Scopes include bundles of claims, whereas claims provide more granularity that allows you to control access to specific resources or actions. +> **Note**: The following scopes aren't supported for integrations published in the OIN: +> * `offline_access` scope (since refresh tokens aren't supported) +> * Custom scopes (such as the `groups` scope). You can only request the [OIDC scopes](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/#scopes). You can't configure custom scopes. + ### Claims in access tokens Claims in access tokens pass information about the user and their permissions to the resource server. Access tokens can contain scopes and [custom claims](/docs/guides/customize-tokens-returned-from-okta/main/), while ID tokens can contain claims, but not scopes. diff --git a/packages/@okta/vuepress-site/docs/guides/submit-app-prereq/main/index.md b/packages/@okta/vuepress-site/docs/guides/submit-app-prereq/main/index.md index e4f8b04b756..9b5f941ba54 100644 --- a/packages/@okta/vuepress-site/docs/guides/submit-app-prereq/main/index.md +++ b/packages/@okta/vuepress-site/docs/guides/submit-app-prereq/main/index.md @@ -67,6 +67,12 @@ The following multi-tenant example assumes that your Okta app integration suppor * Similarly, customer B instantiates your OIDC app integration in their Okta org and obtains their unique client ID and secret. They then sign in to their account on your app platform. They use their client ID, client secret, and Okta domain (for the issuer URL) to enable SSO without any assistance from you. * Each customer enables SSO to your app for their users in a separate credential system with their Okta org. Because you've created a self-service portal that allows your customers to enable SSO by themselves, you save resources and provide autonomy to your customers. +#### Rate limit considerations + +When you construct your SSO app, be aware of the limits on requests to Okta APIs. Okta provides headers in each response to report on both concurrent and org-wide rate limits. To monitor org-wide rate limits, include code in your app to check the relevant headers in the response. + +For information on the rate-limit categories, including which public metadata endpoints aren't subject to rate limits, see the [Rate limits overview](/docs/reference/rate-limits/). For details on response headers, troubleshooting HTTP 429 errors, and requesting a temporary rate limit increase, see [Monitor and troubleshoot rate limits](/docs/reference/rl2-monitor/). + ## OIN Wizard requirements The OIN Wizard is only available in Integrator Free Plan orgs. @@ -544,7 +550,7 @@ In addition to the general OIN limitations, the following are limitations specif Make sure that you only use the **org authorization server** URL. When you use the org authorization server, the issuer URL is `https://{yourOktaDomain}`. -* You can't use the Okta SDKs to validate access tokens with the [org authorization server](/docs/concepts/auth-servers/#org-authorization-server). +* You can't use the Okta SDKs to validate access tokens with the [org authorization server](/docs/concepts/auth-servers/#org-authorization-server). This is due to the OIN restriction of using an org authorization server and the Authorization Code flow. * Refresh tokens aren't supported for SSO OIDC integrations published in the OIN. @@ -570,6 +576,8 @@ In addition to the general OIN limitations, the following are limitations specif * SP-initiated Single Logout (SLO) isn’t supported. +The OIN Wizard doesn't accept new SSO integrations with more than three app instance variables or advanced SAML features. For these new integrations, add a [private SSO integration](/docs/guides/add-private-app/) with the Application Integration Wizard (AIW) in your Okta org instead. + The OIN team maintains existing SAML integrations with advanced features not supported in the OIN Wizard. If you need to update your existing advanced SAML integration, contact the OIN team at . ### SCIM integration limitations diff --git a/packages/@okta/vuepress-site/docs/reference/rate-limits/index.md b/packages/@okta/vuepress-site/docs/reference/rate-limits/index.md index 545dfe7cd62..26a98080d61 100644 --- a/packages/@okta/vuepress-site/docs/reference/rate-limits/index.md +++ b/packages/@okta/vuepress-site/docs/reference/rate-limits/index.md @@ -31,6 +31,12 @@ Buckets scoped to authenticated users are independent and not nested under any o A bucket’s quota can vary based on several factors, including—but not limited to—the type of service subscription (for example, Workforce versus Customer Identity), the HTTP method used (for example, GET versus POST), the number of licenses purchased, and any applicable add-ons, such as DynamicScale. If the quota is exceeded within the time window, further requests are rejected with an HTTP 429 Too Many Requests response until the quota resets. You can monitor rate limit usage through the rate limit dashboard, System Log, or by inspecting the rate limiting headers included in API responses. See [Monitor and troubleshoot rate limits](/docs/reference/rl2-monitor/). +>**Note:** The following public metadata endpoints aren't subject to rate limits: +> +>* `/oauth2/v1/keys` +>* `/.well-known/openid-configuration` +>* `/.well-known/oauth-authorization-server` + ## How rate limiting works The logic behind the Okta implementation of rate limits can be summarized in the following steps: diff --git a/packages/@okta/vuepress-site/docs/reference/rl2-monitor/index.md b/packages/@okta/vuepress-site/docs/reference/rl2-monitor/index.md index a4e9082cfc4..d640814c0db 100644 --- a/packages/@okta/vuepress-site/docs/reference/rl2-monitor/index.md +++ b/packages/@okta/vuepress-site/docs/reference/rl2-monitor/index.md @@ -195,6 +195,16 @@ Okta provides several tools to give you real-time visibility into your rate limi +For concurrent rate limits, these headers behave a little differently: + +* When the number of unfinished requests is below the concurrent rate limit, request headers only report org-wide rate limits. +* After you exceed a concurrent rate limit, the headers report that the limit has been exceeded. +* When you drop back down below the concurrent rate limit, the headers switch back to reporting the time-based rate limits. +* The first two header values are always `0` for concurrent rate limit errors. The third header reports an estimated time interval when the concurrent rate limit may be resolved. +* The `X-Rate-Limit-Reset` time for concurrent rate limits is only a suggested value. There's no guarantee that enough requests can complete for the requests to go below the concurrent rate limit at the time indicated. + +The error condition resolves itself when there's another concurrent thread available. Normally no intervention is required. You may be exceeding the concurrent rate limit if you notice frequent bursts of HTTP 429 errors. Examine the activities in the log before the burst of HTTP 429 errors appeared. If you can't identify what is causing you to exceed the limit, contact [Okta Support](https://support.okta.com). + ### Identify the source Check the rate limit dashboard for more information: @@ -223,6 +233,8 @@ Each event includes the endpoint (`requestURI`), the actor, thresholds, and actu After you have confirmed 429 errors and understand the root cause, you can employ a few strategies. +If you anticipate a large number of requests over a specified time period, you can request a temporary rate limit increase. Contact [Okta Support](https://support.okta.com) to open a ticket to permit the exception. See [How to Request a Temporary Rate Limit Increase](https://support.okta.com/help/s/article/How-can-we-request-to-have-the-rate-limit-for-our-org-temporarily-increased?language=en_US). + | Root cause | Description | Strategies to fix | |------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Intended high usage | A planned business event, such as an e-commerce product launch or a workforce app rollout, generates a legitimate, high-volume surge of user traffic that exceeds default limits | • Implement throttle logic and retries with backoff. The Okta SDK has a configuration library available for this use case.
• Purchase DynamicScale to permanently increase rate limits.
• Request a rate limit increase. | From ba48db4b729593c45cedd363a980a65b36e3340f Mon Sep 17 00:00:00 2001 From: Janu Geethakumari Date: Tue, 26 May 2026 09:22:48 -0400 Subject: [PATCH 4/9] improve Acrolinx score and add redirects --- packages/@okta/vuepress-site/conductor.yml | 12 ++++++++++++ .../docs/concepts/oauth-openid/index.md | 2 +- .../docs/reference/rl2-monitor/index.md | 4 ++-- 3 files changed, 15 insertions(+), 3 deletions(-) diff --git a/packages/@okta/vuepress-site/conductor.yml b/packages/@okta/vuepress-site/conductor.yml index 4f5f5a9ce61..0161bb0b313 100644 --- a/packages/@okta/vuepress-site/conductor.yml +++ b/packages/@okta/vuepress-site/conductor.yml @@ -6109,3 +6109,15 @@ redirects: to: /docs/guides/create-an-app-integration/openidconnect/main/ - from: /docs/guides/add-private-app/openidconnect/main to: /docs/guides/create-an-app-integration/openidconnect/main/ + - from: /docs/guides/build-sso-integration/openidconnect/main/ + to: /docs/guides/sign-in-overview/main/ + - from: /docs/guides/build-sso-integration/openidconnect/main/#deployment-models + to: /docs/concepts/redirect-vs-embedded/ + - from: /docs/guides/build-sso-integration/openidconnect/main/#overview + to: /docs/concepts/sso-overview/ + - from: /docs/guides/build-sso-integration/openidconnect/main/#build-your-integration + to: /docs/guides/submit-app-prereq/main/#oin-wizard-requirements + - from: /docs/guides/build-sso-integration/openidconnect/main/#scopes + to: /docs/concepts/oauth-claims/ + - from: /docs/guides/build-sso-integration/openidconnect/main/#rate-limit-considerations + to: /docs/reference/rate-limits/ diff --git a/packages/@okta/vuepress-site/docs/concepts/oauth-openid/index.md b/packages/@okta/vuepress-site/docs/concepts/oauth-openid/index.md index b802f55998f..4b0f56ce1f9 100644 --- a/packages/@okta/vuepress-site/docs/concepts/oauth-openid/index.md +++ b/packages/@okta/vuepress-site/docs/concepts/oauth-openid/index.md @@ -57,7 +57,7 @@ The following describes the usual OAuth 2.0 Authorization Code flow. At the core of both OAuth 2.0 and OIDC is the authorization server. An authorization server is simply an OAuth 2.0 token minting engine. Each authorization server has a unique issuer URI and its own signing key for tokens to keep a proper boundary between security domains. In the context of this guide, Okta is your authorization server. -The authorization server also acts as an OIDC provider. This means you can request [ID tokens](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/#id-token) in addition to [access tokens](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/#access-token) from the authorization server endpoints. +The authorization server also acts as an OIDC provider. This means that you can request [ID tokens](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/#id-token) in addition to [access tokens](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/#access-token) from the authorization server endpoints. > **Note:** For information on authorization servers, how they work, and how you can use them, see [Authorization servers](/docs/concepts/auth-servers). diff --git a/packages/@okta/vuepress-site/docs/reference/rl2-monitor/index.md b/packages/@okta/vuepress-site/docs/reference/rl2-monitor/index.md index d640814c0db..4b1ac33bc7d 100644 --- a/packages/@okta/vuepress-site/docs/reference/rl2-monitor/index.md +++ b/packages/@okta/vuepress-site/docs/reference/rl2-monitor/index.md @@ -66,7 +66,7 @@ The **Overview** tab is your monitoring hub. Use it to scan for issues or drill * Top offenders: A bar graph shows the top five APIs with the most rate limit events. * Rate Limit Buckets table: Each bucket is listed with current rate limits (including overrides and multipliers), recent events, and a usage trend line for the last hour. -You can hover to reveal detailed data points, click on a rate limit bucket to see deeper metrics and historical usage, or filter by time period, multiplier status, or event type. +You can hover to reveal detailed data points, select a rate limit bucket to see deeper metrics and historical usage, or filter by time period, multiplier status, or event type.
@@ -76,7 +76,7 @@ You can hover to reveal detailed data points, click on a rate limit bucket to se ### Events graph -The event count graph plots the number of violations, bursts, and warnings over the selected time period, which can be the last 24 hours, the last seven days, last month, or the last three months. The events by API bar graph shows the top five number of events by API over the same time period. +The event count graph plots the number of violations, bursts, and warnings over the selected time period, which can be the last 24 hours, the last seven days, last month, or the last three months. The `events by API` bar graph shows the top five number of events by API over the same time period.
From 9ddc0fec4e44998665aa039cf5480a2d3dad5ff1 Mon Sep 17 00:00:00 2001 From: Janu Geethakumari Date: Tue, 26 May 2026 09:29:05 -0400 Subject: [PATCH 5/9] Delete the Build a Single Sign-On (SSO) integration page --- packages/@okta/vuepress-site/okta-integration-network/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/@okta/vuepress-site/okta-integration-network/index.md b/packages/@okta/vuepress-site/okta-integration-network/index.md index 5c0992eddd1..77311d04b91 100644 --- a/packages/@okta/vuepress-site/okta-integration-network/index.md +++ b/packages/@okta/vuepress-site/okta-integration-network/index.md @@ -15,7 +15,7 @@ guides: url: /docs/concepts/saml - text: What is OIDC? url: https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth - docsUrl: /docs/guides/build-sso-integration/ + docsUrl: /docs/guides/sign-in-overview/main - name: Automate Provisioning icon: /img/icons/icon--lock.svg description: Synchronize user identities using SCIM From 829a7671f8a51e108f78f965d31fb07088820ba3 Mon Sep 17 00:00:00 2001 From: Janu Geethakumari Date: Tue, 26 May 2026 10:45:25 -0400 Subject: [PATCH 6/9] Replace links --- .../vuepress-site/docs/guides/updating-saml-cert/main/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/@okta/vuepress-site/docs/guides/updating-saml-cert/main/index.md b/packages/@okta/vuepress-site/docs/guides/updating-saml-cert/main/index.md index f17eda8f5f2..4fd81bfce93 100644 --- a/packages/@okta/vuepress-site/docs/guides/updating-saml-cert/main/index.md +++ b/packages/@okta/vuepress-site/docs/guides/updating-saml-cert/main/index.md @@ -300,4 +300,4 @@ Response: * [SAML overview](https://developer.okta.com/docs/concepts/saml/) * [SAML FAQ](https://developer.okta.com/docs/concepts/saml/faqs/) -* [Building a SAML SSO integration](https://developer.okta.com/docs/guides/build-sso-integration/saml2/before-you-begin/) +* [Building a SAML SSO integration](https://developer.okta.com/docs/guides/sign-in-overview/main/) From 3603640dd570ddf4d814b47bc6e61b44e474943e Mon Sep 17 00:00:00 2001 From: Janu Geethakumari Date: Tue, 26 May 2026 12:19:28 -0400 Subject: [PATCH 7/9] Address link updates --- .../@okta/vuepress-site/archive/php/simplesamlphp/index.md | 4 ++-- .../create-an-app-integration/main/openidconnect/see-also.md | 2 +- .../docs/release-notes/2023-okta-identity-engine/index.md | 2 +- packages/@okta/vuepress-site/docs/release-notes/2023/index.md | 2 +- .../docs/release-notes/2025-okta-identity-engine/index.md | 2 +- packages/@okta/vuepress-site/docs/release-notes/2025/index.md | 2 +- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/packages/@okta/vuepress-site/archive/php/simplesamlphp/index.md b/packages/@okta/vuepress-site/archive/php/simplesamlphp/index.md index 911fe47ebd8..1c77bc2df46 100644 --- a/packages/@okta/vuepress-site/archive/php/simplesamlphp/index.md +++ b/packages/@okta/vuepress-site/archive/php/simplesamlphp/index.md @@ -23,7 +23,7 @@ If you're already familiar with Okta, you can skip to the section titled "Config Before you can configure the example application and SimpleSAMLphp you need to set up an Okta application icon that an Okta user selects to sign in to your to your application using SAML through SimpleSAMLphp. -To set up Okta to connect to your application, follow the guide to [Build a Single Sign-On integration](/docs/guides/build-sso-integration/saml2/main/). As you follow the instructions to [Create your integration](/docs/guides/build-sso-integration/saml2/main/#create-your-integration), there are two steps where you do things differently: +To set up Okta to connect to your application, follow the guide to [Build a Single Sign-On integration](/docs/guides/sign-in-overview/main/). As you follow the instructions to [OIN submission requirements](/docs/guides/submit-app-prereq/main/#oin-wizard-requirements), there are two steps where you do things differently: * In step \#9: Use **SimpleSAMLphp Example** instead **Example SAML application**. * In step \#10: Instead of entering the URL: `http://example.com/saml/sso/example-okta-com` @@ -171,7 +171,7 @@ Configuring SimpleSAMLphp: ); ``` - Be sure to replace the contents of `${metadataUrl}` with the link that you copied in step \#10 of the [Setting up a SAML application in Okta](/docs/guides/build-sso-integration/saml2/main/#create-your-integration) instructions that you followed above. + Be sure to replace the contents of `${metadataUrl}` with the link that you copied in step \#10 that you followed above. > **Note:** The contents of `${metadataUrl}` should look similar to this: > `https://${yourOktaDomain}/app/a0b1c2deFGHIJKLMNOPQ/sso/saml/metadata` diff --git a/packages/@okta/vuepress-site/docs/guides/create-an-app-integration/main/openidconnect/see-also.md b/packages/@okta/vuepress-site/docs/guides/create-an-app-integration/main/openidconnect/see-also.md index 8280c1eb922..7709c7be57e 100644 --- a/packages/@okta/vuepress-site/docs/guides/create-an-app-integration/main/openidconnect/see-also.md +++ b/packages/@okta/vuepress-site/docs/guides/create-an-app-integration/main/openidconnect/see-also.md @@ -1,2 +1,2 @@ -* See [Build a SSO integration](https://developer.okta.com/docs/guides/build-sso-integration/openidconnect/main/) for information on how to make your SSO app integration publish in the OIN. +* See [Build a SSO integration](https://developer.okta.com/docs/guides/sign-in-overview/main/) for information on how to make your SSO app integration publish in the OIN. * See [Publish an OIN integration](https://developer.okta.com/docs/guides/submit-app-overview/) for information on submitting your integration for publication in the OIN. \ No newline at end of file diff --git a/packages/@okta/vuepress-site/docs/release-notes/2023-okta-identity-engine/index.md b/packages/@okta/vuepress-site/docs/release-notes/2023-okta-identity-engine/index.md index 14bc196be53..2d7f5dcd7f8 100644 --- a/packages/@okta/vuepress-site/docs/release-notes/2023-okta-identity-engine/index.md +++ b/packages/@okta/vuepress-site/docs/release-notes/2023-okta-identity-engine/index.md @@ -394,7 +394,7 @@ Okta ThreatInsight coverage is now available for core Okta API endpoints ([OIDC #### Developer documentation update in 2023.07.0 -The guides within the Primer for OIN OpenID Connect section have been removed. Content for OIDC protocol requirements, multi-tenancy, and best practices have been updated and merged to the [Overview of Single Sign-On in the OIN](/docs/guides/oin-sso-overview/) and [Build an SSO integration](/docs/guides/build-sso-integration/openidconnect/main/) guides. +The guides within the Primer for OIN OpenID Connect section have been removed. Content for OIDC protocol requirements, multi-tenancy, and best practices have been updated and merged to the [Overview of Single Sign-On in the OIN](/docs/guides/oin-sso-overview/) and [Sign users in overview](/guides/sign-in-overview/main/) guides. #### Bugs fixed in 2023.07.0 diff --git a/packages/@okta/vuepress-site/docs/release-notes/2023/index.md b/packages/@okta/vuepress-site/docs/release-notes/2023/index.md index 5e61fbab23c..44e4e07a93f 100644 --- a/packages/@okta/vuepress-site/docs/release-notes/2023/index.md +++ b/packages/@okta/vuepress-site/docs/release-notes/2023/index.md @@ -274,7 +274,7 @@ Okta ThreatInsight coverage is now available for core Okta API endpoints ([OIDC #### Developer documentation update in 2023.07.0 -The guides within the Primer for OIN OpenID Connect section have been removed. Content for OIDC protocol requirements, multi-tenancy, and best practices have been updated and merged to the [Overview of Single Sign-On in the OIN](/docs/guides/oin-sso-overview/) and [Build an SSO integration](/docs/guides/build-sso-integration/openidconnect/main/) guides. +The guides within the Primer for OIN OpenID Connect section have been removed. Content for OIDC protocol requirements, multi-tenancy, and best practices have been updated and merged to the [Overview of Single Sign-On in the OIN](/docs/guides/oin-sso-overview/) and [Sign users in overview](/docs/guides/sign-in-overview/main/) guides. #### Bug fixed in 2023.07.0 diff --git a/packages/@okta/vuepress-site/docs/release-notes/2025-okta-identity-engine/index.md b/packages/@okta/vuepress-site/docs/release-notes/2025-okta-identity-engine/index.md index 3e5a0d794a9..1116887faec 100644 --- a/packages/@okta/vuepress-site/docs/release-notes/2025-okta-identity-engine/index.md +++ b/packages/@okta/vuepress-site/docs/release-notes/2025-okta-identity-engine/index.md @@ -842,7 +842,7 @@ Universal Logout (UL) in the Okta Integration Network Wizard allows you to build #### Web app integrations now mandate the use of the Authorization Code flow -To enhance security, web app integrations now mandate the use of the Authorization Code flow, as the Implicit flow is no longer recommended. See [Build a Single Sign-On (SSO) integration](https://developer.okta.com/docs/guides/build-sso-integration/openidconnect/main/#determine-the-oauth-2-0-flow-to-use). +To enhance security, web app integrations now mandate the use of the Authorization Code flow, as the Implicit flow is no longer recommended. See [OAuth 2.0 and OpenID Connect overview](https://developer.okta.com/docs/concepts/oauth-openid/). #### Developer documentation updates in 2025.08.0 diff --git a/packages/@okta/vuepress-site/docs/release-notes/2025/index.md b/packages/@okta/vuepress-site/docs/release-notes/2025/index.md index e60a94cf4b5..58457f3222c 100644 --- a/packages/@okta/vuepress-site/docs/release-notes/2025/index.md +++ b/packages/@okta/vuepress-site/docs/release-notes/2025/index.md @@ -453,7 +453,7 @@ Unified claims generation is a new streamlined interface for managing claims (OI #### Web app integrations now mandate the use of the Authorization Code flow -To enhance security, web app integrations now mandate the use of the Authorization Code flow, as the Implicit flow is no longer recommended. See [Build a Single Sign-On (SSO) integration](https://developer.okta.com/docs/guides/build-sso-integration/openidconnect/main/#determine-the-oauth-2-0-flow-to-use). +To enhance security, web app integrations now mandate the use of the Authorization Code flow, as the Implicit flow is no longer recommended. See [OAuth 2.0 and OpenID Connect overview](https://developer.okta.com/docs/concepts/oauth-openid/). #### Developer documentation updates in 2025.08.0 From a33bb2c15cead12bdc31923c30bca302ee953fb5 Mon Sep 17 00:00:00 2001 From: Janu Geethakumari Date: Mon, 1 Jun 2026 14:10:47 -0400 Subject: [PATCH 8/9] Resolve conflicts --- packages/@okta/vuepress-site/archive/php/simplesamlphp/index.md | 2 +- packages/@okta/vuepress-site/conductor.yml | 2 +- .../create-an-app-integration/main/openidconnect/see-also.md | 2 +- .../vuepress-site/docs/guides/updating-saml-cert/main/index.md | 2 +- packages/@okta/vuepress-site/docs/release-notes/2023/index.md | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/packages/@okta/vuepress-site/archive/php/simplesamlphp/index.md b/packages/@okta/vuepress-site/archive/php/simplesamlphp/index.md index 1c77bc2df46..27494fc3930 100644 --- a/packages/@okta/vuepress-site/archive/php/simplesamlphp/index.md +++ b/packages/@okta/vuepress-site/archive/php/simplesamlphp/index.md @@ -23,7 +23,7 @@ If you're already familiar with Okta, you can skip to the section titled "Config Before you can configure the example application and SimpleSAMLphp you need to set up an Okta application icon that an Okta user selects to sign in to your to your application using SAML through SimpleSAMLphp. -To set up Okta to connect to your application, follow the guide to [Build a Single Sign-On integration](/docs/guides/sign-in-overview/main/). As you follow the instructions to [OIN submission requirements](/docs/guides/submit-app-prereq/main/#oin-wizard-requirements), there are two steps where you do things differently: +To set up Okta to connect to your application, follow the guide to [Build a Single Sign-On integration](/docs/guides/create-an-app-integration/saml2/main/). As you follow the instructions to [OIN submission requirements](/docs/guides/submit-app-prereq/main/#oin-wizard-requirements), there are two steps where you do things differently: * In step \#9: Use **SimpleSAMLphp Example** instead **Example SAML application**. * In step \#10: Instead of entering the URL: `http://example.com/saml/sso/example-okta-com` diff --git a/packages/@okta/vuepress-site/conductor.yml b/packages/@okta/vuepress-site/conductor.yml index 0161bb0b313..792f1e3a798 100644 --- a/packages/@okta/vuepress-site/conductor.yml +++ b/packages/@okta/vuepress-site/conductor.yml @@ -6110,7 +6110,7 @@ redirects: - from: /docs/guides/add-private-app/openidconnect/main to: /docs/guides/create-an-app-integration/openidconnect/main/ - from: /docs/guides/build-sso-integration/openidconnect/main/ - to: /docs/guides/sign-in-overview/main/ + to: /docs/guides/create-an-app-integration/openidconnect/main/ - from: /docs/guides/build-sso-integration/openidconnect/main/#deployment-models to: /docs/concepts/redirect-vs-embedded/ - from: /docs/guides/build-sso-integration/openidconnect/main/#overview diff --git a/packages/@okta/vuepress-site/docs/guides/create-an-app-integration/main/openidconnect/see-also.md b/packages/@okta/vuepress-site/docs/guides/create-an-app-integration/main/openidconnect/see-also.md index 7709c7be57e..9d46980b4c5 100644 --- a/packages/@okta/vuepress-site/docs/guides/create-an-app-integration/main/openidconnect/see-also.md +++ b/packages/@okta/vuepress-site/docs/guides/create-an-app-integration/main/openidconnect/see-also.md @@ -1,2 +1,2 @@ -* See [Build a SSO integration](https://developer.okta.com/docs/guides/sign-in-overview/main/) for information on how to make your SSO app integration publish in the OIN. +* See [Build a SSO integration](https://developer.okta.com/docs/guides/create-an-app-integration/openidconnect/main/) for information on how to make your SSO app integration publish in the OIN. * See [Publish an OIN integration](https://developer.okta.com/docs/guides/submit-app-overview/) for information on submitting your integration for publication in the OIN. \ No newline at end of file diff --git a/packages/@okta/vuepress-site/docs/guides/updating-saml-cert/main/index.md b/packages/@okta/vuepress-site/docs/guides/updating-saml-cert/main/index.md index 4fd81bfce93..a6a944b7604 100644 --- a/packages/@okta/vuepress-site/docs/guides/updating-saml-cert/main/index.md +++ b/packages/@okta/vuepress-site/docs/guides/updating-saml-cert/main/index.md @@ -300,4 +300,4 @@ Response: * [SAML overview](https://developer.okta.com/docs/concepts/saml/) * [SAML FAQ](https://developer.okta.com/docs/concepts/saml/faqs/) -* [Building a SAML SSO integration](https://developer.okta.com/docs/guides/sign-in-overview/main/) +* [Building a SAML SSO integration](https://developer.okta.com/docs/guides/create-an-app-integration/saml2/main/) diff --git a/packages/@okta/vuepress-site/docs/release-notes/2023/index.md b/packages/@okta/vuepress-site/docs/release-notes/2023/index.md index 44e4e07a93f..00f55f861e0 100644 --- a/packages/@okta/vuepress-site/docs/release-notes/2023/index.md +++ b/packages/@okta/vuepress-site/docs/release-notes/2023/index.md @@ -274,7 +274,7 @@ Okta ThreatInsight coverage is now available for core Okta API endpoints ([OIDC #### Developer documentation update in 2023.07.0 -The guides within the Primer for OIN OpenID Connect section have been removed. Content for OIDC protocol requirements, multi-tenancy, and best practices have been updated and merged to the [Overview of Single Sign-On in the OIN](/docs/guides/oin-sso-overview/) and [Sign users in overview](/docs/guides/sign-in-overview/main/) guides. +The guides within the Primer for OIN OpenID Connect section have been removed. Content for OIDC protocol requirements, multi-tenancy, and best practices have been updated and merged to the [Overview of Single Sign-On in the OIN](/docs/guides/oin-sso-overview/) and [Sign users in overview](/docs/guides/create-an-app-integration/openidconnect/main/) guides. #### Bug fixed in 2023.07.0 From 4e09985bd477a9392b0a9ef65f03dd8dbe622428 Mon Sep 17 00:00:00 2001 From: Janu Geethakumari Date: Mon, 1 Jun 2026 15:49:41 -0400 Subject: [PATCH 9/9] Add OIDC customer org credentials section to multi-tenancy doc --- .../vuepress-site/docs/concepts/multi-tenancy/index.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/packages/@okta/vuepress-site/docs/concepts/multi-tenancy/index.md b/packages/@okta/vuepress-site/docs/concepts/multi-tenancy/index.md index 26bdf9caa1b..fa928a36e3e 100644 --- a/packages/@okta/vuepress-site/docs/concepts/multi-tenancy/index.md +++ b/packages/@okta/vuepress-site/docs/concepts/multi-tenancy/index.md @@ -56,6 +56,15 @@ SSO app integrations are multi-tenant by design. Each customer (the organization Because each org manages its own users, policies, and application access independently, a single app integration can serve multiple customers without their data or configurations affecting one another. +### OIDC customer org credentials +For OpenID Connect (OIDC) integrations, Okta uses a local credential system. When your customer adds your integration in their Okta org, they obtain a unique set of OIDC credentials. Each instance of your app integration inside a customer org has a separate set of OIDC client credentials that are used to access your app. + +This local credential approach differs from other IdPs that use a global credential system, where a given app has the same customer credentials across all orgs. + +See the [OIN multi-tenancy](/docs/guides/submit-app-prereq/main/#oin-multi-tenancy) requirement. + +You must track client credentials for each app integration instance for your app. For example, consider a scenario where your app integration is added to 10 separate customer orgs. Seven of those customers create a single instance of your app integration. However, the other three customers each create two separate instances of your app integration so they can use different configuration options. This scenario creates a total of 13 sets of client credentials for your app that you need to track. + ## Why would you want more than one tenant An organization can create a tenant for various reasons. For example