Everything Okta SWA
Let's talk Secure Web Authentication in Okta SSO
What is SWA? Secure Web Authentication (SWA) is a form of authentication that provides single sign-on for apps that don't support proprietary federated sign-on methods or SAML. End users can enter their credentials for these apps on an application’s login page. These credentials are stored such that users can access their apps without entering their credentials each time.
SWA Authentication Diagram
- The user logs into Okta
- When the user successfully logs into Okta they will click on the SWA app chiclet assigned to them
- The App access request is sent to Okta
- Okta passes the user's credentials for that app to the login screen and access is granted
Okta Browser Plugin
For SWA applications the Okta Browser Plugin is required. This plugin enables you to gain quick access to your Okta integrated apps without a need to return to the end-user dashboard.
What is the OIN?
OIN, Okta Integration Network, is a list of pre-configured apps that are inside Okta and can be easily added. If a client’s app is not in the OIN, there are custom ways to add the app. If you look through the thousands of apps in the OIN you will see that every app can be a SWA app.
Okta Administration Perspective for SWA apps
The Okta Administrator has many options for configuring sign-in options. As an example, the administrator can make the SWA credentials match the Okta credentials so additional sign-ins are not required after authenticating with Okta.
Here is a list of the SWA options the Okta administrator can set:
- User sets username and password
- Administrator sets username and password
- Administrator sets username, user sets password
- Administrator sets username, password is the same as user's Okta password
- Users share a single username and password set by administrator
How can I set the usernames and passwords for a particular SWA app?
- Outside of Okta, access the downstream app you wish to assign
- Establish the username and password within the app
- Return to Okta and access or create the app in the OIN
- Choose the Sign On tab (or step) on the app page
Administrator sets username and password, and then click the
- Assign the app to users and assign their usernames and passwords
SWA End User Experience
Once the Okta Admin assigns an SWA app to a user, they will see that app as a chiclet in their Okta Dashboard. Selecting that app chiclet enables the end-user to set up and update their credentials for that application. Okta stores the end user's credentials in an encrypted format (AES encryption) using strong encryption, combined with a customer-specific private key. When end users click an application icon, Okta securely posts their credentials to the app login page over SSL, and the user is automatically signed into the application.
Common Misconceptions About SWA Apps
Does SWA automatically allow me to disable users?
No. Provisioning is not part of SWA. You will have to manually access the app to disable that user.
How do I configure a one-to-many user account using SWA?
Users share a single username and password set by administrator Select this option if you have a single app license or a single app account (such as Twitter) that will be shared by multiple people in your organization.
To set the shared credentials for a shared app, do the following:
Outside of Okta, access the downstream app you wish to assign. Establish the username and password within the app. Return to Okta and access or create the app in the OIN. Choose the Sign On tab (or step) on the app page. Choose Users share a single username and password set by the administrator, and then click Next. Assign the app to users.
Note: You can enable the Password reveal feature when this option is selected but it will only allow admins to reveal the shared password. End users cannot reveal shared passwords.
How can I check my SWA login credentials?
Inside the Okta End User Dashboard click on the gear icon on the top corner of the app chiclet. Click password reveal. Make sure your administrator permits you to do this.
Do SWA apps enforce login through Okta only?
No. With SWA apps you can also log in directly to the app login page.
SWA is an integral part of every Okta Deployment
Ironcove uses SWA strategically to help companies quickly achieve full Okta end-user adoption. Since every app can be SWA-enabled we like to start with SWA. Although SWA is not as secure as SAML, it is an important ingredient to a successful Okta deployment.
If you would like to learn more about SWA and Okta, give us a call 888-959-2825 and we would be happy to answer your questions.