Application Integrations Whitepaper
Unlike other identity management solutions, Okta is not simply a toolkit that you use to connect your web applications to your user directories. Instead, Okta "integrates" applications into its identity management service for you, and you simply deploy these pre-integrated applications to your users as necessary. You can authenticate these users against your own user store (e.g. Active Directory or LDAP) or you can use Okta as the user store. This document describes the various ways Okta integrates applications into its service.
Okta: Enterprise Identity, Delivered
Okta is an enterprise grade identity management service, built from the ground up in the cloud and delivered with an unwavering focus on customer success. With Okta IT can manage access across any application, person or device. Whether the people are employees, partners or customers or the applications are in the cloud, on premises or on a mobile device, Okta helps IT become more secure, make people more productive, and maintain compliance.
Integrating Applications with the Okta Service
Unlike other identity management solutions, Okta is not simply a toolkit that you use to connect your web applications to your user directories. That takes too much of your time and resources. Instead, Okta “integrates” applications into its service for you, and you simply deploy these pre-integrated applications to your users as necessary. You can authenticate these users against your own user store (e.g. Active Directory or LDAP) or you can use Okta as the user store. Okta is unique in providing quick, feature rich integrations with web based and native mobile applications, whether these are in the cloud, on-premises or on your smartphone or tablet. These integrations are delivered as a part of the Okta service and include both SSO and user management capabilities. This document describes the various ways Okta integrates applications into its service.
Okta: Managing Access across Any Application, Device or Person
Cloud, On-premises, and Mobile Applications
It is useful to start with a distinction between cloud, on-premises and mobile apps.
For typical cloud based applications (e.g. Salesforce, Google Apps, Workday, etc.), these integrations are delivered as a part of Okta’s Application Network. Administrators simply select from Okta’s list of thousands of supported applications, use a simple wizard answering basic questions about their specific instance of the applications (such as URL and administrative IDs) and Okta handles the rest.
All technical details (such as SSO protocols and user management API implementations) are encapsulated in the service and continually maintained by Okta on your behalf. These applications may use a standard like SAML or OpenID, they may use a proprietary API, or they may use Okta’s Secure Web Authentication (SWA) protocol.
Many of the most popular on premises web based applications (Oracle Apps, Lawson, Jira, etc.) are also included in the Okta Application Network. For custom developed on-premises web based applications Okta provides a range of integration options as well. Secure Web Authentication integration for SSO can be easily added, Okta has SAML toolkits that can be used to SAML enable your apps, and Okta also supports provisioning and deprovisioning into applications that expose user management APIs publicly.
Okta also provides easy access to mobile enterprise applications from any device. Whether your enterprise apps are HTML5 web apps optimised for mobile platforms or Native iOS or Android apps, Okta has a solution. Any web application in the Okta Application Network can be accessed with single sign on from any mobile device. Mobile web apps can use industry standard SAML, or they can use Okta’s Secure Web Authentication SSO technology. Native applications like Box Mobile can be integrated using SAML authentication for registration and OAuth for ongoing use.
Single Sign-On to ANY Application
Okta creates a seamless user experience by providing single sign-on to ALL of the web and mobile applications users need. Users log in once, and can then launch each application without having to re-enter credentials. It is important to note that this SSO experience only works well when ALL applications are covered; if some applications cannot be supported then it’s not truly singlesign on. For this reason, Okta employs several methods to enable SSO into different web applications.
Okta first establishes a securely authenticated session with the user’s browser. Once this session has been established, Okta can authenticate the user to any connected application using one of two SSO integration methods. Okta’s SSO integrations can either be federated (i.e. supporting a standard such as SAML or another proprietary federated authentication protocol) or they can leverage Okta’s Secure Web Authentication (SWA) to perform a secure, form-driven post to the application login page, signing in the user automatically on their behalf.
Standards based SSO
There are multiple Standards-based ways to do SSO. Because Okta is a cloud service, we have the ability to add support for any standards, i.e. we are not forced to choose one standard or another.
Okta supports numerous federated SSO protocols including standards su