Create an app integration

This guide explains what an app integration is, why you need one, and how to create one.

---

Learning outcomes

• Learn about app integrations in Okta.
• Learn how to create the app integration.
• Learn how to test your sso integration in your okta org.

What you need

• An Okta Integrator Free Plan org (opens new window).
• An admin user in the Integrator Free Plan org with either the super admin or the app and org admin roles.
• A functional SSO integration created in accordance with the Build a Single Sign-On integration guide.

---

About app integration

App integrations in Okta connect your Okta org to external apps and services. These integrations support several protocols that allow you to manage user access, authentication, and provisioning from a single or centralized platform.

With app integrations, you can:

• Provide users with secure, seamless Single Sign-On (SSO) (opens new window) access to their apps.
• Automate user provisioning and deprovisioning using protocols like System for Cross-domain Identity Management (SCIM) (opens new window).
• Centralize access management and enforce security policies across all connected apps.
• Monitor and report on app usage and user activity.

App integrations can be:

• Prebuilt: These are existing integrations available in the Okta Integration Network (OIN) (opens new window), these integrations are tested and validated by Okta.
• Custom: Created by admins or developers for internal or specialized use cases. Custom integrations can be built using the App Integration Wizard (AIW), templates, or bookmarks.
• API Service (opens new window): These integrations allow third-party apps to access the Core Okta API (opens new window) using OAuth 2.0.

The following table summarizes the key differences:

Feature	Prebuilt/existing integration	Custom integration	API Service integration
Definition	Integrations that are listed in the OIN app catalog (opens new window)	Integrations that are created within the Okta org for internal use	Integrations that have access to the Core Okta API using OAuth 2.0.
Benefit	Provides broad visibility and seamless onboarding	Ideal for prototyping or niche use cases	Secure access to Okta APIs without user interaction
Protocols supported	OIDC, SAML, SWA, WS-Fed, SCIM	OIDC, SAML, SWA, SCIM	OAuth 2.0
Security validation	Reviewed and tested by Okta	No external validation. Handled by the org admin or the developer.	OAuth-based flow with limited scopes and tokens
Discoverability	Listed in the public OIN app catalog	Only visible in the org	Not visible to end users
Use case	Public SaaS apps	Internal apps	User sync, backend microservices

Supported protocols

Okta app integrations support standard protocols for both SSO and automated user provisioning:

• OpenID Connect (OIDC) (opens new window): Authentication protocol based on OAuth 2.0, which enables secure SSO and supports advanced security features.
• Security Assertion Markup Language (SAML) (opens new window): An XML-based protocol for exchanging authentication and authorization data between Okta and external apps.
• Secure Web Authentication (SWA) (opens new window): A form-based authentication method that allows Okta to securely store and submit user credentials for apps that don’t support federated SSO.
• Web Services Federation (WS-Fed) (opens new window): A protocol primarily used by Microsoft apps for federated identity and SSO.
• SCIM (opens new window): A standard protocol for automating the exchange of user identity information, enabling automated user provisioning and deprovisioning between Okta and external apps.

These protocols allow you to provide secure, seamless access and automated user management for a wide range of apps and services.

How to create an app integration

You can add either a prebuilt app integration from the OIN or create a custom app integration based on your org’s needs.

Add a prebuilt/existing app integration

1. Sign in to the Admin Console.
   1. Sign in to your Okta org (opens new window).
   2. Click Admin in the upper-right corner of the page.
2. Go to Applications > Applications.
3. Click Browse App Catalog.
4. Search for the app integration you require. To search, perform one of these two options:
   • Type the app integration name in the Search bar. Select it from the dropdown or click See All Results to have everything displayed as tiles in the main panel. Click the tile to view its details.
   • Choose a Use Case and optional filters such as Functionality or Industry to filter the results. When you find the app integration you want, click it to view more details on the details page.
5. Determine if this is the correct app integration for your needs. The details page provides a detailed description of the app integration, its use case, and supported functionality.
6. Select the app from the catalog and click Add Integration.
7. Enter the required information under General Settings, and then click Next.
8. Select one of the sign-on methods on the Sign-On Options page. The sign-on options available depend on the access protocols supported by the app integration. See Configure SSO options (opens new window).

   Note: For SWA app integrations, you can't configure the sign-on options when Sync Password is configured as a provisioning option.

9. Select a username format in the Application username format dropdown. This format is the default username value when assigning the app integration to users.

   Note: If you select None and the app integration has password or profile push provisioning features, then Okta prompts you to enter the username manually when you assign the app integration.

10. Select a setting from the Update application username on dropdown list. This setting controls how you want the app integration to handle any updates to the user's Okta username.
11. Select Password reveal if you want your end users to see the password used to connect to the external app. See Reveal the password of an app integration (opens new window).
12. Click Done.

Okta adds an instance of the app integration to your org, and you can now assign it to your end users. See Assign app integrations (opens new window). If you need to update the settings for your app integration, including changing sign-in options, see Configure settings for app integrations (opens new window).

Create a custom app integration

You can add an app integration that doesn't exist in the OIN, using the App Integration Wizard (AIW). The wizard allows you to create a custom app integration for your app and connect Okta with your SAML, OIDC, SWA, or SCIM app. You can also add SCIM provisioning to a custom app integration.

Note: As a best practice, create two or three extra admin users in your Okta org to manage the integration. This ensures that your team can access the integration for updates in the future.

1. Open the Admin Console for your org.
2. Go to Applications > Applications.
3. Click Create App Integration.
4. Select the required integration type in the Sign in Method section.

5. Ensure that you have the following integration settings ready:

   • App name
   • App’s login page URL
   • Credential settings

6. To build and finalize your implementation settings details, see: Create SWA app integrations (opens new window).

Note: This custom integration is only visible within your Okta org. To modify settings after creation, click Edit on the main app page. To configure your SP app, copy the Metadata URL from the Sign On tab, or click More details to manually copy individual URLs and certificates. To make your app publicly available later, see Publish an OIN integration.

Create an API Service Integration

You can also add any API service integration listed in the OIN catalog with their Okta tenant org. See API Service Integrations (opens new window).

To build, test, and submit your API service integration to the OIN catalog. See Build an API service integration (opens new window).

Test Your Integrations

Once your app is set up:

1. Assign users:

   a. Click the Assignments tab.

   b. Click Assign and then select either Assign to People or Assign to Groups.

   c. Enter the appropriate people or groups that you want to have SSO into your app, click Assign for each, verify user attributes, and select Save and Go Back.

   d. Click Done.

2. Test SSO: Sign in to the Okta End-User Dashboard as a test user and click the app tile.

   Note:. This step applies only to SSO (OIDC or SAML) integrations.

3. Verify redirection: Ensure that the app-initiated flow correctly redirects back from the Okta sign-in page to your app.

4. Troubleshoot: If issues occur, navigate to Reports > System Log to examine failure messages or 4XX status codes. You can also post your questions on the Okta Developer Forum (opens new window).

See also

See Publish an OIN integration (opens new window) for information on submitting your integration for publication in the OIN.