Guide: SSO

Okta SSO: Features, Pricing, and Integrations

What Is Okta SSO?

Okta provides a single sign-on (SSO) service that allows users to log in to different systems using a centralized process. In addition to SSO, it provides multiple other services such as Universal Directory, Identity Governance, Multi-factor Authentication, and Access Gateway.

Okta provides secure SSO access to hundreds of supported SaaS apps via OIN (Okta Integration Network). OIN integrations often use OpenID Connect (OIDC) and SAML, but SWA, or proprietary APIs for SSO are also usable. The vendor maintains all provisioning APIs and SSO protocols internally.

In this article:

Okta SSO Features

Okta provides a standalone app that integrates with your organization’s systems to provide SSO. Users must first sign into Okta, and can then access other applications and services with their Okta credentials. Okta also supports user provisioning and deprovisioning for applications that expose their provisioning APIs.

Okta provides SSO access to applications in different ways:

  • Supports thousands of cloud-based apps through the Okta Unified Network (OIN). Okta integrates with these applications using OIDC, SAML, SWA, or proprietary SSO protocols. 
  • Enables secure connections via federated SSO, using the SAML, OIDS, or other proprietary authentication protocols.
  • Enables SSO integration for web-based and traditional applications hosted on-premises. You can use the SWA SAML toolkits to integrate on-premise applications. 
  • Provides SSO integration for mobile apps, including mobile web apps, native iOS apps, and native Android apps. You can connect these applications via OIDC, SAML, or SWA.

Compare Okta to other Single Sign-On solutions

Okta SSO Pricing

Okta offers two plans for its SSO service:

  • Single Sign-On—$2 per user per month, including access to OIN, ThreatInsight, SSO for all types of applications including desktop, mobile, cloud, and on-premises, basic multi-factor authentication, third-party MFA integration, a login widget, and local language support.
  • Adaptive SSO—$5/month per user, including, in addition to standard SSO features, contextual access management, risk-based authentication and location, device and network analytics.

Okta also offers the following complementary services that can be used together with SSO:

  • Multi-Factor Authentication—$3 per month, including authentication factors like push notifications, text, universal second factors (U2F), and voice authentication.
  • Adaptive MFA—$6/user/month, provides contextual security that takes into account location (new city, state, country), network (new IP and assigned IP zone), device, and risk-based metrics.
  • Additional products such as Universal Catalog, Lifecycle Management, API Access Management, Advanced Server Access, and Access Gateway range from $2-15 per user per month.

Okta SSO Integrations

Here are some of the SSO protocols and standards supported by Okta SSO. 

To get a better understanding of SSO integrations, see our SSO authentication guide

OIDC Application Integrations

The OpenID Connect (OIDC) protocol provides an SSO authentication layer based on the OAuth 2.0 protocol, which uses tokens to secure access. Okta can serve as a service provider (SP) or an identity provider (IdP) for OIDC authentication. Administrators can search for OIDC integrations in the Okta Integration Network (OIN) catalog and add them to the Okta end-user dashboard. 

Okta integrates with OIDC apps as an IdP, providing SSO functionality. The workflow is as follows:

  1. A user requests access to a SaaS app.
  2. The app redirects the user to Okta and requests a user session token 
  3. Okta authenticates the user with MFA and SSO
  4. If authentication is successful, Okta provides an ID token with the user’s information
  5. Okta grants the user access to the app

Okta also serves as an SP, enabling SSO authentication using other solutions such as the Oracle and Tivoli access managers.

SAML Application Integrations

SAML (Security Assertion Markup Language) is an SSO protocol based on XML. Okta can serve as an SP or IdP for SAML authentication. SAML is the most popular protocol for SSO because it reduces an organization’s attack service while improving the end-user experience.

When users sign to applications with SAML, the IdP uses SAML assertions to vouch for the users. Often, users must pass MFA challenges to generate an assertion. SAML assertions are XML files with an authentication, attribution, or authorization statement. These statements provide details to verify users and their access level to the SP. SAML can authorize users for multiple access privileges. 

Administrators can search for SAML integrations in the OIN and add them to the end-user dashboard. Okta integrates with SAML 2.0 apps as an IdP providing SSO and MFA functionality. The workflow is as follows:

  1. A user uses SAML SSO to access an Okta-protected app.
  2. A client application, acting as the SP, redirects the user to Okta for authentication, sending a SAML assertion to establish a user session.
  3. Okta authenticates the user.
  4. Okta sends an assertion back to the SP.
  5. The SP validates the assertion and grants access to the application.

WS-Fed Application Integrations

The XML-based WS-Fed (Web Services Federation) protocol is useful for SSO, especially for legacy Windows applications. Okta serves as the IdP or authorization server, enabling integration with WS-Fed apps. Administrators can search the OIN catalog for WS-Fed integrations and add them to the end-user dashboard. 

The workflow looks like this:

  1. A user requests access to an Okta-protected application using WS-Fed.
  2. A client app, acting as the SP, delegates the authentication process to Okta and sends a SAML assertion, establishing a user session.
  3. Okta authenticates the user with MFA and SSO. 
  4. Okta sends a WS-Fed assertion back to the SP. 
  5. The SP validates the assertion and grants access to the application.

SWA Application Integrations

SWA (Secure Web Authentication) is an SSO technology for web apps that lack support for federated protocols like SAML, OIDC, and WS-Fed. Admins and end-users can set credentials for an application in Okta, which stores them securely with AES-256 encryption. Once set up, end-users can directly sign in to the app via Okta. 

Unless an admin sets SWA credentials, Okta prompts the users to provide a username and password with the first sign-in. After the first successful sign-in, users can automatically sign in to the app by clicking on their dashboard’s integration icon. Administrators can search for SWA integrations in the OIN, add them to an organization, and assign them to end-users to create an SWA app integration icon on their dashboards. 

SCIM Application Integrations

SCIM, or System for Cross-Domain Identity Management, is a standard allowing administrators to manage end-user and group data. Okta integration automates user account and credential management. An admin can set up a SCIM integration to connect directly to the cloud or via an on-premise agent. 

SCIM is a protocol for provisioning (exchanging information about the user or group lifecycle). The Okta provisioning workflow best uses create, read, update, and de-provision operations. Okta records the events impacting a user’s lifecycle, modifying the application’s record.

Admins can search for provisioning integrations in the OIN and add them to the end-user dashboard as SCIM integration icons. The workflow is as follows:

  1. Okta sends a SCIM change to an application target.
  2. A SCIM–compliant app integration receives and processes Okta’s SCIM request.
  3. Okta updates the user’s profile in the User Directory.

Administrators can manage Okta provisioning for cloud apps by selecting SCIM integrations, allowing them to connect to Okta and use SCIM features such as password synchronization and profile attribute mapping. 

SSO with Frontegg

Frontegg is revolutionizing the user management space with its self-served features that reduce stress on dev and support teams, eliminate in-app friction, raise customer satisfaction levels – all effective revenue boosters. With Frontegg, you can integrate SSO with just a few lines of code before configuring it with the identity provider of your choice. For example, you can choose between SAML and OpenID.

The benefits don’t stop there. There is instant access to Audit Logs, something that also usually requires a lot of development resources. The customizable Login Box builder also takes care of most common front-end needs. All in all, Frontegg ticks all key boxes and provides end to end coverage for users looking to implement string SSO flows in industry-leading times. Try it out for free now.