Use the configuration wizard to walk through the steps to customize your Okta URL domain.
On the Domain page of the configuration wizard, enter your subdomain name, for example,
login.example.com, and then click Next. Verifying domain ownership is the next step in the configuration wizard.
You need to add a DNS TXT record to your domain to verify ownership of your domain with Okta before Okta can serve traffic over it. This record includes the Okta-generated values provided in the Host and Data columns of the table on the Verify domain ownership page. Okta verifies that you own your domain when it finds the TXT record that contains the generated value.
Important: Depending on your registrar, you may only need to enter
_oktaverification.login.example.com. If your registrar doesn't support the value that you enter, verification fails and your custom URL domain configuration is incomplete.
Note: It may take up to 24 hours for your DNS changes to propagate. If your changes don't appear within 24 hours, return to this step and confirm your settings. Use a tool like Dig to check your DNS records.
If Verified appears, click Next. If an error occurs, possible issues may be that the TXT record may not have propagated yet or there may be a copy and paste issue with the values.
Uploading your TLS certificate is the next step in the configuration wizard.
Okta serves traffic over HTTPS (TLS) on your custom domain. Use this section to enter your TLS certificate, private key, and, if applicable, a certificate chain.
On the Certification page of the configuration wizard, paste your PEM-encoded public certificate for your subdomain in the Certificate field. Be sure to include the
----BEGIN CERTIFICATE---- and the
----END CERTIFICATE---- lines.
Paste your PEM-encoded private key for your subdomain in the Private Key field. Be sure to include the
-----BEGIN RSA PRIVATE KEY----- and
-----END RSA PRIVATE KEY----- lines.
We recommend that you enter a PEM-encoded certificate chain (if you have one) in the Certificate Chain field. Certificate chain files can contain keys that are up to 4096 bits. The order in which the root and intermediary certificates appear in the file matters. The intermediate CA certificate should be at the top and then the root CA certificate at the bottom.
Note: Android devices require a certificate chain. You must provide a certificate chain if you want your custom domain to work with apps on Android. For a list of trusted root certificates on Android, see this article.
Click Next. Making your custom domain an alias for your Okta domain is the next step in the configuration wizard.
Before Okta can serve traffic over your domain, you need to add an alias from your custom domain to the Okta subdomain of your Okta organization. You do this by creating or modifying a CNAME record for your custom domain name.
Important: Depending on your registrar, you may only need to enter the subdomain part. For example, if you picked the subdomain
id.example.com, your registrar may only require you to create a CNAME record for
.example.comis implied). If you're not sure, check your registrar's documentation.
After the CNAME record is saved and confirmed by your registrar, you are done setting up a custom domain name for your Okta organization. Okta will begin to serve traffic over your custom domain. It may take a few minutes to propagate the changes.
Use the link that appears in the Confirmation section of the CNAME step to confirm that Okta is serving traffic over HTTPS (TLS) for your custom domain.
https://login.example.com. The Okta Sign-In page should appear.
It may take up to 48 hours for these changes to propagate. Warning notices may appear on your custom URL domain until propagation is finished. If your changes don't appear within 48 hours, return to the configuration wizard and confirm your settings.
You can also use a tool such as
nslookup to test and verify that your DNS is a properly configured domain.
In the terminal, use the following command:
dig login.mycompany.com or
Verify that the configured domain, for example,
org.Subdomain.customdomains.oktapreview.com appears in the answer section of the output.
After you've changed your DNS records, old records may still be cached by DNS providers or your local machine. If you've verified that your records are correct, but your custom domain isn't working, you can flush the DNS cache.Next: