Okta

Okta

Okta is an enterprise identity and access management platform used for SSO, MFA, and user lifecycle management. Scripts and redirects handle authentication flows that validate user identity against Okta's identity provider before granting access to applications. Widely deployed in B2B SaaS and enterprise software products.

Back to Vendor Library

Overview

Okta is the leading cloud-native enterprise identity platform, providing single sign-on, multi-factor authentication, lifecycle management, and API access management for thousands of organizations worldwide. It operates as a standalone identity provider (IdP) that federates authentication across cloud and on-premises applications.

What This Script Does

Okta's browser-side behavior centers on authentication flows, session management, and the Okta Sign-In Widget — a JavaScript SDK that renders login forms and handles credential submission client-side before redirecting to the target application.

Session Cookies

  • sid — First-party session cookie scoped to the Okta domain (e.g., company.okta.com). Stores the authenticated session identifier. Persists for the duration of the SSO session (typically 8–24 hours depending on policy). HTTP-only, Secure.
  • oktaStateToken — Short-lived token cookie used during the authentication flow to maintain state between steps (username entry, MFA challenge, etc.). Expires on flow completion.
  • DT — Device trust cookie used by Okta FastPass and device assurance policies to identify recognized devices. Persists for up to 1 year.

Script Files Loaded

  • okta-sign-in.min.js — The Okta Sign-In Widget, loaded from the organization's Okta subdomain or from a CDN path under global.oktacdn.com. Handles credential entry, MFA prompts, and social login buttons.
  • Auth SDK may also load polyfills and locale bundles from global.oktacdn.com.

Domains Contacted

  • {tenant}.okta.com or {tenant}.okta-emea.com — Primary IdP domain handling authentication API calls (/api/v1/authn, /oauth2/v1/authorize, /oauth2/v1/token).
  • global.oktacdn.com — CDN delivering the Sign-In Widget JavaScript and CSS.
  • login.okta.com — Used for identity-first flows and Okta's hosted sign-in pages.

Data Collected Per Interaction

  • Username and password (submitted over TLS to Okta's authentication API)
  • MFA responses (TOTP codes, push notification confirmations, WebAuthn assertions)
  • IP address and user-agent (captured server-side for login risk assessment)
  • Device fingerprint (for Okta ThreatInsight and device trust policies)
  • Session state tokens passed between authentication steps

SSO and OIDC/SAML Flows Okta handles the full SAML 2.0 and OpenID Connect (OIDC) flow. For SAML, it issues signed XML assertions. For OIDC, it returns authorization codes exchanged for access and ID tokens. Redirects are managed via browser-based HTTP 302 redirects to the callback URL registered on the application.

Lifecycle Management When embedded on IT portals or admin pages, Okta scripts may also render the Okta End-User Dashboard for app launching, password management, and device enrollment.

Consent & Compliance

Consent category: Essential / Functional

  • GDPR/ePrivacy: Exempt from consent. Authentication scripts are strictly necessary for the service the user has explicitly requested (logging in). The cookies set (sid, DT) are required for maintaining the authenticated session and cannot be replaced with less privacy-invasive alternatives. Under ePrivacy Article 5(3), cookies that are strictly necessary for a service explicitly requested by the user are exempt.
  • CCPA/CPRA: Authentication processing is exempt from CCPA's sale/sharing restrictions as it constitutes service delivery.
  • Data transfers: Okta is a US company. Okta participates in the EU-US Data Privacy Framework (DPF), providing an adequacy mechanism for EU-to-US data transfers. Standard Contractual Clauses (SCCs) are also available.
  • No IAB TCF purposes apply — Okta does not participate in the IAB TCF ecosystem.

Should You Block This Without Consent?

No. Okta handles authentication and access control. Blocking its scripts and cookies would prevent users from logging in entirely. Authentication flows are strictly necessary and are exempt from consent requirements under both GDPR/ePrivacy and CCPA.

Visit website

Consent Categories

Essential
Functional

Also Known As

Okta SSOOkta MFAsingle sign-onidentity providerOkta SAMLenterprise authenticationIAM

Industries

Computers Electronics and TechnologyProgramming and Developer Software

Tracked Domains (1)

ok1static.oktacdn.comEssential

Frequently Asked Questions

Does Okta require cookie consent?

No. Okta handles authentication and access control, making it strictly necessary for the service users have explicitly requested. Authentication scripts and cookies are exempt from consent requirements under ePrivacy Article 5(3). Blocking Okta would prevent users from logging in entirely. No consent banner action is required.

What cookies does Okta set?

Okta sets sid (session duration, HTTP-only Secure) as the SSO session identifier on the Okta domain, oktaStateToken (short-lived) to maintain state between authentication steps like MFA challenges, and DT (up to 1 year) for device trust used by Okta FastPass. Scripts load as okta-sign-in.min.js from global.oktacdn.com.

How does ConsentStack detect Okta?

ConsentStack classifies Okta as essential and functional, and never blocks it. It is detected via okta-sign-in.min.js loads from global.oktacdn.com and authentication redirects to {tenant}.okta.com. Because Okta provides login infrastructure, ConsentStack treats it as unconditionally necessary and excludes it from consent gating.

Related Vendors

Firebase
Firebase
Firebase is Google's mobile and web application development platform offering authentication, real-time database, cloud functions, and analytics. Web SDK scripts initialize Firebase services and may track app events via Firebase Analytics, which is powered by Google Analytics 4. Widely used in single-page apps and PWAs for backend infrastructure and usage tracking.
Google
Google
Google is the dominant provider of web analytics, advertising, and infrastructure tools. Scripts like Google Analytics, Tag Manager, Ads, and reCAPTCHA collect behavioral data, manage tag firing, serve targeted ads, and detect bots. Sets persistent cookies to track users and correlate activity across sites.
Google Tag Manager
Google Tag Manager
Google Tag Manager is a tag management system that lets marketers deploy and update analytics and marketing scripts without code changes. The GTM container script loads synchronously in the page head and injects configured tags, triggers, and variables on behalf of other vendors. No data collection of its own — acts as a loader for other scripts.
Google Fonts
Google Fonts
Google Fonts is a free font hosting service that serves hundreds of typeface families via a global CDN. Stylesheets and font files load from fonts.googleapis.com and fonts.gstatic.com to deliver web fonts to visitors. No advertising or tracking functionality is included.
reCAPTCHA
reCAPTCHA
Google reCAPTCHA is a bot detection and spam prevention service protecting web forms, login pages, and checkout flows. Scripts analyze user behavior, mouse movements, and browser fingerprints to distinguish humans from bots. The invisible reCAPTCHA v3 scores interactions without requiring user challenges.
Sign in with Google
Sign in with Google
Sign in with Google is an OAuth-based authentication service that enables users to log into websites using their Google account credentials. Scripts load the Google Identity Services library, display sign-in buttons, and handle token exchange for secure authentication. Stores session tokens and authentication cookies to maintain login state across page visits.

Manage consent for Okta

ConsentStack automatically detects and manages Okta trackers so your site stays compliant with global privacy regulations.

Get started free