On this page
Sign users in through your web app
Integrate Okta with your customer portal to manage user authentication directly through its web interface.
Introduction
You've built a web-based interface to your customer portal. Now you want to add identity-related features like how to verify user identities, configure a sign-in form to control app access, and define authentication policies.
Learn
Learn the basics that you need to lay the foundations for your work:
- An Okta org serves as your central Okta development hub, encapsulating all configurations, users, groups, policies, and other objects that your app uses.
- Identity Engine is the core server that verifies your users' identities.
Build
To add identity-related features to your customer portal, start by creating an Okta account and org, and then set up the org. Also, connect your app to Okta and add basic user authentication and user session management.
Set up your account
Sign up for an Okta account, and then set up your new Okta org to test web apps:
Consider how your users sign in when they access your portal before designing your sign-in form.
Okta provides three preset authentication policies (opens new window) that allow you to control who can access your app and how:
- Password only
- Multifactor authentication means that users must verify their identity in two or more ways to identify themselves. For example, the policy might require the user to enter both a password and a code sent to an email.
- Password optional is another authentication policy concept where users don’t need to use a password to sign in.
Add a way for users to sign in
To keep it simple, Okta suggests initiating the sign-in process when a user accesses your app. This is often referred to as a "federation model." The app then triggers the sign-in flow with all the necessary context.
The Okta platform offers various deployment models to integrate a sign-in form into your portal, using the app as the point of entry:
- Learn about the options for sign-in form deployment models.
- Choose the deployment model that best suits your scenario.
The Okta-hosted way
The Okta-recommended way to sign users in to your web portal is to redirect them to an Okta-hosted sign-in page. This page displays the Okta Sign-In Widget, which you can customize to reflect your brand.
Learn about customizing the Okta Sign-In Widget:
- Learn about the Okta Sign-In Widget.
- Sign users into your portal by redirecting them to an Okta sign-in page (SPA).
The self-hosted way
The alternative is to build a custom sign-in form in your portal. Then, use direct authentication to connect to Okta and to perform the sign-in flow:
- Learn about Direct Authentication.
- Add multifactor authentication using a password and OTP.
- Add phone authentication.
- Add Okta Verify Push authentication.
Maintain a user session
After a user signs in, Okta sends your app a set of tokens to identify the user. The tokens grant them access to their profile and other resources. The tokens also keep them signed in if they are away from the app too long.
Learn about tokens, claims, and managing user credentials:
- Understand the token lifecycle (exchange, refresh, revoke).
- Learn about OAuth 2.0 claims.
- Learn about authorization servers, the component of Identity Engine that mints tokens and enforces access policies.
- Manage user credentials (secure token storage and retrieval).
Add a way for users to sign out
How a user signs out of an app and what happens next is as important as how they sign in. What happens when they click the sign-out button? What will they see when they return to an app after their session has timed out? See Add a sign-out experience (Sign a user out of a SPA).
Go further
Congratulations, your portal now signs users in and out. There are many ways to expand and customize the basic functionality that you've implemented so far.
See advanced secure mechanisms like Demonstrating Proof of Possession (DPoP) and step-up authentication.
Go deeper into the protocols underlying the sign-in process:
