Ova

How do I add an internal app to Okta customer?

Published in Okta App Integration 6 mins read

Integrating your internal applications with Okta is a powerful way to centralize access, enhance security, and streamline user management for your organization. As an Okta customer, adding an internal app involves a structured process, primarily leveraging Okta's robust application integration capabilities, often through standards like SAML (Security Assertion Markup Language) or OIDC (OpenID Connect).

Why Integrate Internal Apps with Okta?

Integrating your proprietary internal applications with Okta provides numerous benefits:

  • Single Sign-On (SSO): Users can access internal tools with their existing Okta credentials, eliminating password fatigue and improving the user experience.
  • Enhanced Security: Centralized authentication and authorization reduce the attack surface and allow for consistent security policies, including multi-factor authentication (MFA).
  • Centralized User Management: Lifecycle management features automate user provisioning and deprovisioning, ensuring only authorized personnel have access.
  • Auditing and Reporting: Okta provides detailed logs for all application access, aiding compliance and security monitoring.
  • Simplified Access: A unified dashboard allows users to find and access all their applications easily.

Prerequisites for Adding an Internal Application

Before you begin, ensure you have:

  • Okta Administrator Access: You'll need appropriate permissions in your Okta tenant to create and configure applications.
  • Understanding of Your App's Authentication Needs: Know what authentication method your internal application supports (e.g., SAML 2.0, OpenID Connect, Header-based, SWA/Bookmark). SAML 2.0 is a common and robust choice for internal enterprise applications.
  • Application Details: Gather necessary URLs, attribute requirements, and any specific configuration parameters from your internal app's documentation or development team.

Step-by-Step Guide to Adding Your Internal Application

Follow these steps to integrate your custom internal application with Okta:

1. Initiate the Application Integration in Okta

  1. Log in to your Okta Admin Console.
  2. Navigate to Applications > Applications.
  3. Click the "Create App Integration" button.

2. Choose the Right Integration Type

When prompted, select the sign-in method that your internal application supports. For many internal enterprise applications, SAML 2.0 is the preferred and most secure option.

  • Select SAML 2.0 (or OIDC/SWA if applicable).
  • Click "Next."

You will then be asked about the nature of the application. Here, you'll indicate that you are an Okta customer adding an internal app.

3. Configure General Settings and Application Details

Provide essential information about your application:

  1. App Name: Enter a descriptive name for your internal application (e.g., "Internal CRM," "Project Management Tool").

  2. App Logo (Optional): Upload a logo for easy identification in the Okta dashboard.

  3. App Visibility: Configure whether the app icon is visible to users or if it's hidden (e.g., for backend services).

  4. Specify the application type by selecting "This is an internal app that we have created."

    • Note: If your internal app requires very specific SAML configuration instructions that you typically get from a third-party vendor, or if it's a wrapper around a commercial product, you might consider if it's more appropriate to handle configuration as if you needed to contact a vendor for SAML enablement. However, for true internal custom apps, "This is an internal app that we have created" is the correct path.

  5. Click "Next."

4. Configure SAML Settings (Example for SAML 2.0)

This is a critical step where you'll define how Okta communicates with your internal application. You'll need specific information from your internal application's SAML documentation or development team.

  • SAML Settings:

    • Single Sign On URL: This is the URL where your application expects to receive the SAML assertion from Okta (often called Assertion Consumer Service URL or Reply URL).
    • Audience URI (SP Entity ID): A unique identifier for your application within the SAML exchange.
    • Name ID Format: Specifies the format of the username sent in the SAML assertion (e.g., EmailAddress, Unspecified, Persistent).
    • Application Username: Determines which Okta attribute maps to the username expected by your application (e.g., Okta username, Okta email).
    • Attribute Statements: Add any additional user attributes (e.g., first name, last name, department, custom attributes) that your application needs from Okta. Map these to corresponding Okta user profile attributes.

  • Provide Okta Metadata to Your Application: After configuring these settings in Okta, you'll be able to download the Okta Identity Provider (IdP) metadata (XML file) or view the necessary URLs (e.g., IdP Single Sign-On URL, IdP Issuer, X.509 Certificate). This information needs to be configured within your internal application to trust Okta as the identity provider.

Key SAML Configuration Fields

Okta Field Description Source (Typically)
Single Sign On URL The URL where your application receives the SAML assertion. Your internal application
Audience URI Unique identifier for your application (SP Entity ID). Your internal application
Name ID Format Format of the username sent in the assertion. Your internal application
Application Username Okta attribute mapped to your app's username. Okta profile/Your application
Attribute Statements Additional user profile attributes passed to your app. Okta profile/Your application

5. Assign Users and Groups

Once the SAML settings are configured, you need to assign users or groups who should have access to this application:

  1. Go to the "Assignments" tab for your newly created application.
  2. Click "Assign" and choose "Assign to People" or "Assign to Groups."
  3. Select the desired users or groups and click "Done."

6. Finalize the Integration

Review all your settings to ensure accuracy. When you are satisfied with the configuration, click "Finish."

Important Considerations for Internal Apps

  • Thorough Testing: Always test the integration with a small group of users before rolling it out widely. Verify that users can sign in, attributes are mapped correctly, and access policies are enforced.
  • Documentation: Maintain clear documentation for your internal application's Okta integration, including all configuration parameters, attribute mappings, and troubleshooting steps.
  • Security Best Practices: Ensure your internal application itself follows security best practices, such as validating SAML assertions, using HTTPS, and implementing appropriate authorization within the application after authentication.

Troubleshooting Common Issues

  • SAML Assertion Errors: Check Okta System Logs for detailed error messages. Verify the Single Sign-On URL, Audience URI, and Name ID format in both Okta and your application match exactly.
  • Attribute Mismatches: Ensure that the attribute names and values sent from Okta match what your application expects. Case sensitivity is often a factor.
  • Access Denied: Confirm that users and groups are correctly assigned to the application in Okta and that there are no conflicting access policies.

By following these steps, you can effectively add and manage your internal applications within your Okta environment, enhancing both security and user experience.

← Previous Article
How to Lower Headrest in Honda CRV?
Next Article →
Why Add Limestone to Cement?