<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
  <channel>
    <title>Okta Developer</title>
    <description>Secure, scalable, and highly available authentication and user management for any app.
</description>
    <link>https://developer.okta.com</link>
    <atom:link href="https://developer.okta.com/feed.xml" rel="self" type="application/rss+xml" />
    
      <item>
        <title>Introducing Okta Journeys: A Better Way for Developers to Learn Identity</title>
        <description>&lt;p&gt;Learning identity management is hard enough. Navigating Okta’s documentation to build something shouldn’t be. If you’ve ever lost an afternoon stitching together how-to guides, product docs, and scattered blog posts just to figure out where to start, you’re not alone – and we’ve heard you, loudly and repeatedly.&lt;/p&gt;

&lt;p&gt;Today, we’re excited to announce the official launch of Journeys: a new way to navigate Okta documentation built around the tasks you’re actually trying to accomplish.&lt;/p&gt;

&lt;h2 id=&quot;what-are-okta-journeys-for-developers&quot;&gt;What are Okta Journeys for developers?&lt;/h2&gt;

&lt;p&gt;A Journey is a curated, expert-driven, end-to-end guide built around a small-to-medium-sized development project. Rather than sending you to find a single document and piece the rest together yourself, each Journey walks you through the entire project, from foundational concepts to completion.&lt;/p&gt;

&lt;p&gt;Journeys address the most frequent questions we’ve heard from developers. Every Journey includes both brand-new material and revised content to ensure that what you’re reading is accurate, up to date, and genuinely useful.&lt;/p&gt;

&lt;p&gt;Each Journey organizes content into three main sections.&lt;/p&gt;

&lt;h3 id=&quot;learn-identity-foundations&quot;&gt;Learn identity foundations&lt;/h3&gt;

&lt;p&gt;Before you write a single line of code, it helps to know the terrain. The Learn section anchors the broad “identity” concept, covering foundational knowledge including Okta features, software development kits (SDKs), and application programming interfaces (APIs) relevant to your task. Whether you’re new to Okta or just unfamiliar with a specific area, this section gives you the vocabulary and mental model you need to make informed decisions. It ensures you’re not just following steps, but truly understanding the technology and concepts underlying your project.&lt;/p&gt;

&lt;h3 id=&quot;plan-your-customer-identity-implementation&quot;&gt;Plan your customer identity implementation&lt;/h3&gt;

&lt;p&gt;Good implementations start with good planning. The Plan section walks you through the key decision points to consider before you begin – from the pros and cons of migration strategies and deployment models to configuration options, rate limits, and key performance indicators (KPIs). These are all common concerns from the field. Decisions made here shape everything that follows, so you won’t discover them for the first time mid-build.&lt;/p&gt;

&lt;h3 id=&quot;build-and-implement-identity-solutions&quot;&gt;Build and implement identity solutions&lt;/h3&gt;

&lt;p&gt;This is where everything comes together. The Build section presents a carefully curated collection of resources, organized to guide you through your project from start to finish. No more hunting across technical content channels to find the correct how-to guide, configuration advice, Knowledge Base (KB) article, blog post, API endpoint details, or videos. Everything you need is in one place, in the right order.&lt;/p&gt;

&lt;p&gt;Every Journey covers the Okta-recommended approach and adds common alternatives when practical, because we know one size doesn’t always fit all.&lt;/p&gt;

&lt;h2 id=&quot;six-okta-journeys-available-now&quot;&gt;Six Okta Journeys available now&lt;/h2&gt;

&lt;p&gt;The first six Journeys are live today, targeting Okta Customer Identity (OCI) builders developing and securing customer-facing portals. If you’re working on user authentication, registration, company branding, or user management, these Journeys are for you.&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;https://developer.okta.com/docs/journeys/&quot;&gt;Explore Journeys&lt;/a&gt;&lt;/p&gt;

&lt;h2 id=&quot;whats-next-okta-for-ai-agents-and-more&quot;&gt;What’s next: Okta for AI agents and more&lt;/h2&gt;

&lt;p&gt;This is just the beginning. We’re already building new Journeys to tackle high-impact, emerging scenarios, including:&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;Okta for AI Agents: Detect, identify, manage, register, and govern your AI agents.&lt;/li&gt;
  &lt;li&gt;Building for the Okta Integration Network (OIN): Journeys for developers building different types of integrations for the &lt;a href=&quot;https://www.okta.com/okta-integration-network/&quot;&gt;Okta Integration Network&lt;/a&gt;.&lt;/li&gt;
  &lt;li&gt;Classic Engine to Okta Identity Engine Migration: Update your org to Okta Identity Engine and remove the Classic Engine-specific code from your apps.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;We are committed to continuously expanding this library so that, no matter your development goal, you have a clear, expert-guided path to success.&lt;/p&gt;

&lt;h2 id=&quot;tell-us-what-you-think&quot;&gt;Tell us what you think&lt;/h2&gt;

&lt;p&gt;These Journeys will fundamentally improve your development experience. Explore them, share your feedback, and let us know what Journeys you’d like to see next. Use the feedback tab on the Journey page, reach out to us on the &lt;a href=&quot;https://devforum.okta.com/&quot;&gt;Okta Developer Forums&lt;/a&gt;, or find us on socials.&lt;/p&gt;

&lt;p&gt;Happy building.&lt;/p&gt;

&lt;p&gt;Remember to follow us on &lt;a href=&quot;https://x.com/oktadev&quot;&gt;X&lt;/a&gt; and subscribe to our &lt;a href=&quot;https://www.youtube.com/c/OktaDev/&quot;&gt;YouTube channel&lt;/a&gt; and &lt;a href=&quot;https://www.linkedin.com/company/oktadev&quot;&gt;LinkedIn&lt;/a&gt;for more exciting content. We also want to hear from you about the topics you’d like to see and any questions you may have. Leave us a comment below!&lt;/p&gt;
</description>
        <pubDate>Tue, 07 Jul 2026 00:00:00 -0500</pubDate>
        <link>https://developer.okta.com/blog/2026/07/07/okta-journeys-for-developers</link>
        <guid isPermaLink="true">https://developer.okta.com/blog/2026/07/07/okta-journeys-for-developers</guid>
      </item>
    
      <item>
        <title>How to Build and List Secure Cross App Access (XAA) Connections on Okta Integration Network (OIN)</title>
        <description>&lt;p&gt;AI agents have evolved from novelties into active participants in enterprise workflows. They now operate across systems, reading data, executing actions, and calling APIs on behalf of users.&lt;/p&gt;

&lt;p&gt;This evolution creates a new security hurdle for enterprises. Software and agents need to connect without relying on static API keys, scattered OAuth consent, or unmanaged integrations. Cross App Access (XAA) addresses this by bringing these connections under the enterprise identity layer.&lt;/p&gt;

&lt;p&gt;&lt;strong class=&quot;hide&quot;&gt;Table of Contents&lt;/strong&gt;&lt;/p&gt;
&lt;ul id=&quot;markdown-toc&quot;&gt;
  &lt;li&gt;&lt;a href=&quot;#what-is-cross-app-access-xaa&quot; id=&quot;markdown-toc-what-is-cross-app-access-xaa&quot;&gt;What is Cross App Access (XAA)?&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;#why-cross-app-access-xaa-matters-for-isvs-and-their-customers&quot; id=&quot;markdown-toc-why-cross-app-access-xaa-matters-for-isvs-and-their-customers&quot;&gt;Why Cross App Access (XAA) matters for ISVs and their customers&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;#prerequisites-for-supporting-cross-app-access-xaa-in-your-app&quot; id=&quot;markdown-toc-prerequisites-for-supporting-cross-app-access-xaa-in-your-app&quot;&gt;Prerequisites for supporting Cross App Access (XAA) in your app&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;#implementation-and-testing-guide-for-cross-app-access-xaa-with-okta-as-idp&quot; id=&quot;markdown-toc-implementation-and-testing-guide-for-cross-app-access-xaa-with-okta-as-idp&quot;&gt;Implementation and testing guide for Cross App Access (XAA) with Okta as IdP&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;#getting-listed-in-the-okta-integration-network-oin&quot; id=&quot;markdown-toc-getting-listed-in-the-okta-integration-network-oin&quot;&gt;Getting listed in the Okta Integration Network (OIN)&lt;/a&gt;    &lt;ul&gt;
      &lt;li&gt;&lt;a href=&quot;#xaa-enablement-questionnaire&quot; id=&quot;markdown-toc-xaa-enablement-questionnaire&quot;&gt;XAA enablement questionnaire&lt;/a&gt;&lt;/li&gt;
      &lt;li&gt;&lt;a href=&quot;#what-happens-next-after-you-submit-your-oin-and-xaa-request&quot; id=&quot;markdown-toc-what-happens-next-after-you-submit-your-oin-and-xaa-request&quot;&gt;What happens next after you submit your OIN and XAA request?&lt;/a&gt;&lt;/li&gt;
    &lt;/ul&gt;
  &lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;#need-help-with-your-cross-app-access-xaa-submission&quot; id=&quot;markdown-toc-need-help-with-your-cross-app-access-xaa-submission&quot;&gt;Need help with your Cross App Access (XAA) submission?&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;#learn-more-about-cross-app-access-and-the-okta-integration-network&quot; id=&quot;markdown-toc-learn-more-about-cross-app-access-and-the-okta-integration-network&quot;&gt;Learn more about Cross App Access and the Okta Integration Network&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;h2 id=&quot;what-is-cross-app-access-xaa&quot;&gt;What is Cross App Access (XAA)?&lt;/h2&gt;

&lt;p&gt;Cross App Access (XAA) is an identity framework that secures token-based communication when software or AI agents request data from external ecosystems, and those apps have an established trust relationship with an Identity Provider (IdP). It replaces insecure, long-lived API keys or hardcoded secrets with a pattern for real-time identity propagation between different application vendors.&lt;/p&gt;

&lt;p&gt;Watch the video below to see Cross App Access (XAA) in action:&lt;/p&gt;

&lt;div class=&quot;jekyll-youtube-plugin&quot; style=&quot;text-align: center; margin-bottom: 1.25rem&quot;&gt;
            &lt;iframe width=&quot;700&quot; height=&quot;394&quot; style=&quot;max-width: 100%&quot; src=&quot;https://www.youtube.com/embed/3VLzeT1EGrg&quot; allowfullscreen=&quot;&quot; allow=&quot;accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture&quot; frameborder=&quot;0&quot;&gt;&lt;/iframe&gt;
        &lt;/div&gt;

&lt;p&gt;A concrete way to think about it: consider an employee using an AI assistant to prepare for a meeting. The assistant might need to pull tasks from one application, notes from another, and account details from a third. Without XAA, every connection might require separate user permissions, distinct API keys, or custom administrative work.&lt;/p&gt;

&lt;p&gt;XAA allows enterprises to centrally determine which apps connect, which scopes they request, and which users gain access. This streamlines the user experience while giving the enterprise the control it requires.&lt;/p&gt;

&lt;h2 id=&quot;why-cross-app-access-xaa-matters-for-isvs-and-their-customers&quot;&gt;Why Cross App Access (XAA) matters for ISVs and their customers&lt;/h2&gt;

&lt;p&gt;Every time an AI agent or application accesses another system without a proper identity handshake, customers face security and compliance risks. XAA eliminates this gap, providing IT teams with the visibility and audit trails they need to govern cross-app identity flows.&lt;/p&gt;

&lt;p&gt;For ISVs, XAA adoption simplifies the integration process in enterprise environments where security and visibility remain top priorities. It demonstrates trust to buyers, showing that your application fits into a secure, modern ecosystem. As enterprises increase their expectations for secure integrations, XAA readiness becomes a powerful competitive differentiator.&lt;/p&gt;

&lt;p&gt;At a high level, XAA involves three distinct roles:&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;&lt;strong&gt;Requesting app&lt;/strong&gt;: the requesting app acts on behalf of the user but does not mint the identity assertion itself. Instead, it receives an ID token or Security Assertion Markup Language (SAML) assertion from the identity provider and exchanges that assertion for an Identity Assertion Authorization Grant (ID-JAG), a JSON Web Token (JWT).&lt;/li&gt;
  &lt;li&gt;&lt;strong&gt;Resource app&lt;/strong&gt;: the resource app owns the API or data. It validates the incoming ID-JAG and issues a scoped access token if the request is valid.&lt;/li&gt;
  &lt;li&gt;&lt;strong&gt;Identity Provider&lt;/strong&gt;: authenticates the subject, evaluates access policies, and generates the necessary ID-JAG. &lt;a href=&quot;https://okta.com&quot;&gt;Okta&lt;/a&gt; fills this role in an XAA deployment.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2 id=&quot;prerequisites-for-supporting-cross-app-access-xaa-in-your-app&quot;&gt;Prerequisites for supporting Cross App Access (XAA) in your app&lt;/h2&gt;

&lt;p&gt;Before you start building, ensure you have these prerequisites in place:&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;&lt;strong&gt;Defined app role&lt;/strong&gt;: determine if your app will function as a requesting app, a resource app, or both.&lt;/li&gt;
  &lt;li&gt;&lt;strong&gt;Authorization server support&lt;/strong&gt;: if your app acts as a resource app, your authorization server must validate the ID-JAG and issue a scoped access token for the protected resource.&lt;/li&gt;
  &lt;li&gt;&lt;strong&gt;Scopes and protected resources&lt;/strong&gt;: if you are building a resource app, clearly define the APIs and scopes available to requesting apps.&lt;/li&gt;
  &lt;li&gt;&lt;strong&gt;Okta Integrator Free Plan org&lt;/strong&gt;: use this org to build, test, and submit your integration. You can &lt;a href=&quot;https://developer.okta.com/signup/&quot;&gt;register for a new account&lt;/a&gt;. After signing up, email &lt;a href=&quot;mailto:developers@okta.com&quot;&gt;developers@okta.com&lt;/a&gt; to enable the XAA feature for your org.&lt;/li&gt;
  &lt;li&gt;&lt;strong&gt;Single Sign-On (SSO) integration&lt;/strong&gt;: XAA relies on the trust your existing SSO already establishes. Ensure your app supports OpenID Connect (OIDC) or SAML SSO with Okta.&lt;/li&gt;
  &lt;li&gt;&lt;strong&gt;Tested workflows&lt;/strong&gt;: you must demonstrate that XAA works with Okta as the IdP before requesting XAA enablement for your Okta Integration Network (OIN) integration.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2 id=&quot;implementation-and-testing-guide-for-cross-app-access-xaa-with-okta-as-idp&quot;&gt;Implementation and testing guide for Cross App Access (XAA) with Okta as IdP&lt;/h2&gt;

&lt;p&gt;To begin development, select the guide corresponding to your application’s authentication protocol:&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;If your app uses SAML for SSO, follow our &lt;a href=&quot;/blog/2026/07/03/cross-app-access-saml&quot;&gt;SAML implementation guide&lt;/a&gt;.&lt;/li&gt;
  &lt;li&gt;If your app uses OIDC for SSO, refer to the &lt;a href=&quot;/blog/2025/09/03/cross-app-access&quot;&gt;OIDC implementation guide&lt;/a&gt;.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;To verify your configuration, demonstrate a successful token exchange:&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;&lt;strong&gt;Requesting apps&lt;/strong&gt;: provide evidence that you successfully obtained an ID token via OIDC SSO and used it to mint an ID-JAG.&lt;/li&gt;
  &lt;li&gt;&lt;strong&gt;Resource apps&lt;/strong&gt;: show that your app received an ID-JAG and successfully exchanged it for a scoped access token.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Completing these tests is a hard requirement for approval; please ensure they are successful before submitting your integration.&lt;/p&gt;

&lt;h2 id=&quot;getting-listed-in-the-okta-integration-network-oin&quot;&gt;Getting listed in the Okta Integration Network (OIN)&lt;/h2&gt;

&lt;p&gt;Listing your integration on the &lt;a href=&quot;https://www.okta.com/integrations/&quot;&gt;Okta Integration Network (OIN)&lt;/a&gt; helps customers discover and trust it. Because XAA relies on trust that your existing single sign-on (SSO) configuration already establishes, you must list an OIDC or SAML SSO integration on the OIN before proceeding.&lt;/p&gt;

&lt;p&gt;If your app is not yet listed, prioritize that submission. Submit your SSO app through the &lt;a href=&quot;https://developer.okta.com/docs/guides/submit-oin-app/openidconnect/main/&quot;&gt;OIN Wizard&lt;/a&gt;. This &lt;a href=&quot;https://developer.okta.com/docs/guides/okta-integration-network/&quot;&gt;Okta Integration Network guide&lt;/a&gt; walks you through everything you need to get your integration listed, from app metadata to SSO configuration. Once you submit your SSO app for review, you can begin the XAA enablement request in parallel.&lt;/p&gt;

&lt;p&gt;XAA submissions currently require a manual step: you need to contact Okta directly to indicate that your submission includes XAA support. When your app successfully passes token exchange tests, email the Okta team at &lt;a href=&quot;mailto:oin@okta.com&quot;&gt;oin@okta.com&lt;/a&gt; to request XAA enablement. To speed up the review and avoid additional rounds of configuration, include the completed questionnaire below in your email.&lt;/p&gt;

&lt;p&gt;Use this subject line: &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;Request to enable XAA support for &amp;lt;App Name&amp;gt; on OIN&lt;/code&gt;&lt;/p&gt;

&lt;h3 id=&quot;xaa-enablement-questionnaire&quot;&gt;XAA enablement questionnaire&lt;/h3&gt;

&lt;p&gt;&lt;strong&gt;General app details:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;App Name:&lt;/li&gt;
  &lt;li&gt;Okta Integrator Org domain:&lt;/li&gt;
  &lt;li&gt;SSO Mode: OIDC / SAML&lt;/li&gt;
  &lt;li&gt;XAA App Role: Requesting app / Resource app / Both&lt;/li&gt;
  &lt;li&gt;Existing OIN App Link, if already published&lt;/li&gt;
  &lt;li&gt;Submission Type: new OIN submission / update to an existing OIN app&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Requesting app details:&lt;/strong&gt; &lt;em&gt;fill this out if your app acts as a requesting app.&lt;/em&gt;&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;Resource Registration Pairs: for each resource app you connect with, provide:
    &lt;ul&gt;
      &lt;li&gt;Resource app name&lt;/li&gt;
      &lt;li&gt;Authorization Server Issuer URL&lt;/li&gt;
      &lt;li&gt;Registered Client ID&lt;/li&gt;
    &lt;/ul&gt;
  &lt;/li&gt;
  &lt;li&gt;Supported Scopes: list the scopes your app requests from resource apps.&lt;/li&gt;
  &lt;li&gt;Client ID Metadata Documents (CIMD) Support:
    &lt;ul&gt;
      &lt;li&gt;If yes, please provide the CIMD URL&lt;/li&gt;
      &lt;li&gt;No&lt;/li&gt;
      &lt;li&gt;Planned future support&lt;/li&gt;
    &lt;/ul&gt;
  &lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Resource app details:&lt;/strong&gt; &lt;em&gt;fill this out if your app acts as a resource app.&lt;/em&gt;&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;Global Issuer URL: the endpoint that processes ID-JAG token exchange requests&lt;/li&gt;
  &lt;li&gt;Protected Resource Identifiers: URLs of the APIs your app exposes (e.g., &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;https://api.yourdomain.com/v1&lt;/code&gt;)&lt;/li&gt;
  &lt;li&gt;Supported OAuth Scopes: scopes allowed for XAA token exchange (e.g., openid, read, write)&lt;/li&gt;
  &lt;li&gt;CIMD Support:
    &lt;ul&gt;
      &lt;li&gt;If yes, please provide the CIMD URL&lt;/li&gt;
      &lt;li&gt;No&lt;/li&gt;
      &lt;li&gt;Planned future support&lt;/li&gt;
    &lt;/ul&gt;
  &lt;/li&gt;
  &lt;li&gt;Well-Known Host Endpoints: specify whether you host either of the following:
    &lt;ul&gt;
      &lt;li&gt;&lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;.well-known/oauth-authorization-server&lt;/code&gt;&lt;/li&gt;
      &lt;li&gt;&lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;.well-known/oauth-protected-resources&lt;/code&gt;&lt;/li&gt;
    &lt;/ul&gt;
  &lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Testing details:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;If you’re a requesting app: confirm that you generated successful token exchange logs. The Okta operations team can verify these via internal telemetry parameters. To help the team validate quickly, also include:
    &lt;ul&gt;
      &lt;li&gt;Test org&lt;/li&gt;
      &lt;li&gt;App name&lt;/li&gt;
      &lt;li&gt;Test user or test account used&lt;/li&gt;
      &lt;li&gt;Resource app tested against&lt;/li&gt;
      &lt;li&gt;Scopes requested&lt;/li&gt;
    &lt;/ul&gt;
  &lt;/li&gt;
  &lt;li&gt;If you’re a resource app: attach a screenshot or a short video showing successful ID-JAG validation and scoped access token exchange logs directly from your authorization server. These cannot be verified externally, so the evidence needs to come from you. Please include:
    &lt;ul&gt;
      &lt;li&gt;Resource endpoint tested&lt;/li&gt;
      &lt;li&gt;Scopes granted&lt;/li&gt;
      &lt;li&gt;Token exchange result&lt;/li&gt;
    &lt;/ul&gt;
  &lt;/li&gt;
&lt;/ul&gt;

&lt;h3 id=&quot;what-happens-next-after-you-submit-your-oin-and-xaa-request&quot;&gt;What happens next after you submit your OIN and XAA request?&lt;/h3&gt;

&lt;p&gt;Once you submit your request, the Okta team reviews your SSO submission, XAA metadata, and testing evidence. If your app is already on the OIN, we will update the existing listing after approval. For new integrations, we complete the standard SSO review before publishing your app with XAA support. If the team needs further clarification or additional testing evidence, we will contact you directly.&lt;/p&gt;

&lt;h2 id=&quot;need-help-with-your-cross-app-access-xaa-submission&quot;&gt;Need help with your Cross App Access (XAA) submission?&lt;/h2&gt;

&lt;p&gt;Please reach out to &lt;a href=&quot;mailto:developers@okta.com&quot;&gt;developers@okta.com&lt;/a&gt; for help. You can also find answers and connect with peers in our &lt;a href=&quot;https://devforum.okta.com/&quot;&gt;developer community&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;XAA advances how apps and agents interact securely. By supporting this standard and listing your integration on the OIN, you help enterprise customers adopt AI-driven automation with better governance, stronger identity control, and increased confidence.&lt;/p&gt;

&lt;h2 id=&quot;learn-more-about-cross-app-access-and-the-okta-integration-network&quot;&gt;Learn more about Cross App Access and the Okta Integration Network&lt;/h2&gt;

&lt;p&gt;If this guide helped you plan your OIN and XAA submission, explore these resources next:&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;📘 &lt;a href=&quot;https://help.okta.com/oie/en-us/content/topics/apps/apps-cross-app-access.htm&quot;&gt;Cross App Access documentation&lt;/a&gt;: official guides for configuring and managing Cross App Access in production.&lt;/li&gt;
  &lt;li&gt;📄 &lt;a href=&quot;https://developer.okta.com/docs/guides/okta-integration-network/&quot;&gt;Okta Integration Network documentation&lt;/a&gt;: everything you need to get your SSO integration listed on the OIN.&lt;/li&gt;
  &lt;li&gt;🔐 &lt;a href=&quot;/blog/2026/07/03/cross-app-access-saml&quot;&gt;Enabling Cross App Access for SAML-based enterprise apps&lt;/a&gt;: the implementation guide for SAML SSO apps.&lt;/li&gt;
  &lt;li&gt;🔑 &lt;a href=&quot;/blog/2025/09/03/cross-app-access&quot;&gt;Build secure agent-to-app connections with Cross App Access (XAA)&lt;/a&gt;: the implementation guide for OIDC SSO apps.&lt;/li&gt;
  &lt;li&gt;🎙️ &lt;a href=&quot;https://www.youtube.com/watch?v=qKs4k5Y1x_s&quot;&gt;Developer podcast on MCP and Cross App Access&lt;/a&gt;: hear the backstory, use cases, and why this matters for developers.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Follow us on &lt;a href=&quot;https://www.linkedin.com/company/oktadev&quot;&gt;LinkedIn&lt;/a&gt; and &lt;a href=&quot;https://x.com/oktadev&quot;&gt;X&lt;/a&gt;, and subscribe to our &lt;a href=&quot;https://www.youtube.com/c/OktaDev/&quot;&gt;YouTube&lt;/a&gt; channel. Leave a comment below if you have any questions!&lt;/p&gt;
</description>
        <pubDate>Mon, 06 Jul 2026 00:00:00 -0500</pubDate>
        <link>https://developer.okta.com/blog/2026/07/06/submit-oin-xaa</link>
        <guid isPermaLink="true">https://developer.okta.com/blog/2026/07/06/submit-oin-xaa</guid>
      </item>
    
      <item>
        <title>Enabling Cross App Access for SAML-Based Enterprise Apps</title>
        <description>&lt;p&gt;If you currently federate enterprise customers using Security Assertion Markup Language (SAML) and want to allow AI agents to access your API without migrating to OpenID Connect (OIDC), this Cross App Access (XAA) guide is for you.&lt;/p&gt;

&lt;p&gt;The &lt;a href=&quot;https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-assertion-authz-grant/&quot;&gt;Identity Assertion Authorization Grant specification&lt;/a&gt;, the basis of XAA, was originally designed with OIDC in mind. To use it in SAML applications, you must accommodate specific security and uniqueness requirements. This guide details what you need to support and how to verify SAML-derived claims at your resource authorization server.&lt;/p&gt;

&lt;p&gt;&lt;strong class=&quot;hide&quot;&gt;Table of Contents&lt;/strong&gt;&lt;/p&gt;
&lt;ul id=&quot;markdown-toc&quot;&gt;
  &lt;li&gt;&lt;a href=&quot;#how-xaa-in-saml-works&quot; id=&quot;markdown-toc-how-xaa-in-saml-works&quot;&gt;How XAA in SAML works&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;#analyzing-the-id-jag-claims&quot; id=&quot;markdown-toc-analyzing-the-id-jag-claims&quot;&gt;Analyzing the ID-JAG claims&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;#xaa-implementation-checklist-for-saml-federated-applications&quot; id=&quot;markdown-toc-xaa-implementation-checklist-for-saml-federated-applications&quot;&gt;XAA implementation checklist for SAML-federated applications&lt;/a&gt;    &lt;ul&gt;
      &lt;li&gt;&lt;a href=&quot;#mapping-user-identity-in-the-saml-nameid-attribute&quot; id=&quot;markdown-toc-mapping-user-identity-in-the-saml-nameid-attribute&quot;&gt;Mapping user identity in the SAML &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;NameID&lt;/code&gt; attribute&lt;/a&gt;&lt;/li&gt;
      &lt;li&gt;&lt;a href=&quot;#validating-the-id-jag-and-resolving-the-user&quot; id=&quot;markdown-toc-validating-the-id-jag-and-resolving-the-user&quot;&gt;Validating the ID-JAG and resolving the user&lt;/a&gt;&lt;/li&gt;
      &lt;li&gt;&lt;a href=&quot;#issuing-the-access-token&quot; id=&quot;markdown-toc-issuing-the-access-token&quot;&gt;Issuing the access token&lt;/a&gt;&lt;/li&gt;
      &lt;li&gt;&lt;a href=&quot;#updating-authorization-server-metadata&quot; id=&quot;markdown-toc-updating-authorization-server-metadata&quot;&gt;Updating authorization server metadata&lt;/a&gt;&lt;/li&gt;
    &lt;/ul&gt;
  &lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;#making-cross-application-requests-from-your-saml-app-securely&quot; id=&quot;markdown-toc-making-cross-application-requests-from-your-saml-app-securely&quot;&gt;Making cross-application requests from your SAML app securely&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;#configure-your-xaa-saml-app-in-okta&quot; id=&quot;markdown-toc-configure-your-xaa-saml-app-in-okta&quot;&gt;Configure your XAA SAML App in Okta&lt;/a&gt;    &lt;ul&gt;
      &lt;li&gt;&lt;a href=&quot;#create-the-saml-20-app-in-okta&quot; id=&quot;markdown-toc-create-the-saml-20-app-in-okta&quot;&gt;Create the SAML 2.0 app in Okta&lt;/a&gt;&lt;/li&gt;
      &lt;li&gt;&lt;a href=&quot;#register-and-configure-the-ai-agent-in-okta&quot; id=&quot;markdown-toc-register-and-configure-the-ai-agent-in-okta&quot;&gt;Register and configure the AI Agent in Okta&lt;/a&gt;&lt;/li&gt;
    &lt;/ul&gt;
  &lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;#verify-your-okta-xaa-setup-on-xaadev&quot; id=&quot;markdown-toc-verify-your-okta-xaa-setup-on-xaadev&quot;&gt;Verify your Okta XAA setup on xaa.dev&lt;/a&gt;    &lt;ul&gt;
      &lt;li&gt;&lt;a href=&quot;#configure-saml-sso&quot; id=&quot;markdown-toc-configure-saml-sso&quot;&gt;Configure SAML SSO&lt;/a&gt;&lt;/li&gt;
      &lt;li&gt;&lt;a href=&quot;#confirm-the-saml-assertion-exchange-for-a-refresh-token&quot; id=&quot;markdown-toc-confirm-the-saml-assertion-exchange-for-a-refresh-token&quot;&gt;Confirm the SAML Assertion exchange for a refresh token&lt;/a&gt;&lt;/li&gt;
      &lt;li&gt;&lt;a href=&quot;#verify-the-refresh-token-exchange-for-an-id-jag-token&quot; id=&quot;markdown-toc-verify-the-refresh-token-exchange-for-an-id-jag-token&quot;&gt;Verify the refresh token exchange for an ID-JAG token&lt;/a&gt;&lt;/li&gt;
      &lt;li&gt;&lt;a href=&quot;#redeem-the-id-jag-for-an-access-token-at-the-resource-authorization-server&quot; id=&quot;markdown-toc-redeem-the-id-jag-for-an-access-token-at-the-resource-authorization-server&quot;&gt;Redeem the ID-JAG for an access token at the resource authorization server&lt;/a&gt;&lt;/li&gt;
      &lt;li&gt;&lt;a href=&quot;#call-the-resource-api-with-the-access-token&quot; id=&quot;markdown-toc-call-the-resource-api-with-the-access-token&quot;&gt;Call the resource API with the access token&lt;/a&gt;&lt;/li&gt;
      &lt;li&gt;&lt;a href=&quot;#prove-the-xaa-connection-end-to-end&quot; id=&quot;markdown-toc-prove-the-xaa-connection-end-to-end&quot;&gt;Prove the XAA connection end-to-end&lt;/a&gt;&lt;/li&gt;
    &lt;/ul&gt;
  &lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;#takeaways-for-implementors-who-have-both-oidc-and-saml-apps&quot; id=&quot;markdown-toc-takeaways-for-implementors-who-have-both-oidc-and-saml-apps&quot;&gt;Takeaways for implementors who have both OIDC and SAML apps&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;#learn-more-about-cross-app-access-saml-and-oauth-20&quot; id=&quot;markdown-toc-learn-more-about-cross-app-access-saml-and-oauth-20&quot;&gt;Learn more about Cross App Access, SAML, and OAuth 2.0&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;h2 id=&quot;how-xaa-in-saml-works&quot;&gt;How XAA in SAML works&lt;/h2&gt;

&lt;p&gt;When an agent (like one running in Claude) needs API access, it presents an &lt;strong&gt;Identity Assertion Authorization Grant (ID-JAG)&lt;/strong&gt;. The ID-JAG is a short-lived JSON Web Token (JWT) issued by the customer’s Identity Provider (IdP) for your authorization server. Your resource server accepts the token, identifies the user, and issues your own access token, all while leaving the customer’s existing SAML integration untouched.&lt;/p&gt;

&lt;p&gt;The sequence diagram shown below describes the SAML XAA flow. Notice that the SAML SSO flow stays the same; the only change is the section highlighted with the comment “Your Resource Authorization Server (AS): redeem and resolve”. You’ll make a &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;POST&lt;/code&gt; request to your resource’s authorization server with the ID-JAG, resolve the &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;NameID&lt;/code&gt; to return an access token that you’ll use for resource requests.&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;/assets-jekyll/blog/cross-app-access-saml/xaa-saml-sequence-diagram-f2db13d4cb32e0de677e0ffbb409f8a89c963d479ade19b99a3aaf5f0953e139.svg&quot; alt=&quot;Sequence diagram showing SAML SSO between the user and Okta IdP, two OAuth token exchanges producing a refresh token and then an ID-JAG, and the resource authorization server redeeming the ID-JAG and resolving the SAML NameID before issuing an access token used to call the API.&quot; width=&quot;800&quot; class=&quot;center-image&quot; /&gt;&lt;/p&gt;

&lt;blockquote&gt;
  &lt;p&gt;⚠️ &lt;strong&gt;Note&lt;/strong&gt;&lt;/p&gt;

  &lt;p&gt;You are not processing SAML here. The only artifact crossing from the IdP to your domain is the ID-JAG. All SAML-related tasks, such as SSO, assertion handling, and subject derivation, happen upstream. Your responsibility is to validate the ID-JAG, redeem it for an access token, and resolve the user from the claims.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h2 id=&quot;analyzing-the-id-jag-claims&quot;&gt;Analyzing the ID-JAG claims&lt;/h2&gt;

&lt;p&gt;When you decode the ID-JAG, you’ll see claims in the header and payload that impact how you process the access request:&lt;/p&gt;

&lt;div class=&quot;language-json highlighter-rouge&quot;&gt;&lt;div class=&quot;highlight&quot;&gt;&lt;pre class=&quot;highlight&quot;&gt;&lt;code&gt;&lt;span class=&quot;err&quot;&gt;//&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;err&quot;&gt;header&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;{&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
  &lt;/span&gt;&lt;span class=&quot;nl&quot;&gt;&quot;typ&quot;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;:&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&quot;oauth-id-jag+jwt&quot;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
  &lt;/span&gt;&lt;span class=&quot;err&quot;&gt;...&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;}&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;

&lt;/span&gt;&lt;span class=&quot;err&quot;&gt;//&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;err&quot;&gt;payload&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;{&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
  &lt;/span&gt;&lt;span class=&quot;nl&quot;&gt;&quot;iss&quot;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;:&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&quot;https://atko.okta.com&quot;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
  &lt;/span&gt;&lt;span class=&quot;nl&quot;&gt;&quot;sub&quot;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;:&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&quot;00u1a2b3c4D5e6F7g8h9&quot;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
  &lt;/span&gt;&lt;span class=&quot;nl&quot;&gt;&quot;sub_id&quot;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;:&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;p&quot;&gt;{&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
    &lt;/span&gt;&lt;span class=&quot;nl&quot;&gt;&quot;format&quot;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;:&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&quot;saml-nameid&quot;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
    &lt;/span&gt;&lt;span class=&quot;nl&quot;&gt;&quot;issuer&quot;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;:&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&quot;http://www.okta.com/exk1fcia8zMValiD0h8&quot;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
    &lt;/span&gt;&lt;span class=&quot;nl&quot;&gt;&quot;nameid&quot;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;:&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&quot;alice@atko.com&quot;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
    &lt;/span&gt;&lt;span class=&quot;nl&quot;&gt;&quot;nameid_format&quot;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;:&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&quot;urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress&quot;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
    &lt;/span&gt;&lt;span class=&quot;nl&quot;&gt;&quot;sp_name_qualifier&quot;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;:&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&quot;https://chat.example/saml/metadata&quot;&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
  &lt;/span&gt;&lt;span class=&quot;p&quot;&gt;},&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
  &lt;/span&gt;&lt;span class=&quot;nl&quot;&gt;&quot;aud&quot;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;:&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&quot;https://auth.chat.example&quot;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
  &lt;/span&gt;&lt;span class=&quot;nl&quot;&gt;&quot;client_id&quot;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;:&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&quot;0oa8claudeMcpAtYourAS&quot;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
  &lt;/span&gt;&lt;span class=&quot;nl&quot;&gt;&quot;email&quot;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;:&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&quot;alice@atko.com&quot;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
  &lt;/span&gt;&lt;span class=&quot;nl&quot;&gt;&quot;scope&quot;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;:&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&quot;chat:read chat:write&quot;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
  &lt;/span&gt;&lt;span class=&quot;nl&quot;&gt;&quot;jti&quot;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;:&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&quot;id-jag-7f3c9a21b8&quot;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
  &lt;/span&gt;&lt;span class=&quot;err&quot;&gt;...&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;}&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;
&lt;p&gt;Focus on these key claims noted in the decoded ID-JAG payload:&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;&lt;strong&gt;&lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;sub_id&lt;/code&gt;&lt;/strong&gt;: This is the primary field for user resolution&lt;/li&gt;
  &lt;li&gt;&lt;strong&gt;&lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;aud&lt;/code&gt;&lt;/strong&gt;: Indicates the endpoint URL for the resource authorization server&lt;/li&gt;
  &lt;li&gt;&lt;strong&gt;&lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;client_id&lt;/code&gt;&lt;/strong&gt;: This is the client’s ID at your resource authorization server, which might differ from its ID at the IdP&lt;/li&gt;
  &lt;li&gt;&lt;strong&gt;&lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;email&lt;/code&gt;&lt;/strong&gt;: Recommended by the specification for just-in-time provisioning if the user has not yet signed in&lt;/li&gt;
  &lt;li&gt;&lt;strong&gt;&lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;jti&lt;/code&gt;&lt;/strong&gt;: This is the unique ID for the ID-JAG JWT that prevents replay attacks within the validity window&lt;/li&gt;
&lt;/ul&gt;

&lt;h2 id=&quot;xaa-implementation-checklist-for-saml-federated-applications&quot;&gt;XAA implementation checklist for SAML-federated applications&lt;/h2&gt;

&lt;p&gt;To fully support Cross App Access, implement these five steps in sequence:&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;&lt;a href=&quot;#how-xaa-in-saml-works&quot;&gt;How XAA in SAML works&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;#analyzing-the-id-jag-claims&quot;&gt;Analyzing the ID-JAG claims&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;#xaa-implementation-checklist-for-saml-federated-applications&quot;&gt;XAA implementation checklist for SAML-federated applications&lt;/a&gt;
    &lt;ul&gt;
      &lt;li&gt;&lt;a href=&quot;#mapping-user-identity-in-the-saml-nameid-attribute&quot;&gt;Mapping user identity in the SAML &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;NameID&lt;/code&gt; attribute&lt;/a&gt;&lt;/li&gt;
      &lt;li&gt;&lt;a href=&quot;#validating-the-id-jag-and-resolving-the-user&quot;&gt;Validating the ID-JAG and resolving the user&lt;/a&gt;&lt;/li&gt;
      &lt;li&gt;&lt;a href=&quot;#issuing-the-access-token&quot;&gt;Issuing the access token&lt;/a&gt;&lt;/li&gt;
      &lt;li&gt;&lt;a href=&quot;#updating-authorization-server-metadata&quot;&gt;Updating authorization server metadata&lt;/a&gt;&lt;/li&gt;
    &lt;/ul&gt;
  &lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;#making-cross-application-requests-from-your-saml-app-securely&quot;&gt;Making cross-application requests from your SAML app securely&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;#configure-your-xaa-saml-app-in-okta&quot;&gt;Configure your XAA SAML App in Okta&lt;/a&gt;
    &lt;ul&gt;
      &lt;li&gt;&lt;a href=&quot;#create-the-saml-20-app-in-okta&quot;&gt;Create the SAML 2.0 app in Okta&lt;/a&gt;&lt;/li&gt;
      &lt;li&gt;&lt;a href=&quot;#register-and-configure-the-ai-agent-in-okta&quot;&gt;Register and configure the AI Agent in Okta&lt;/a&gt;&lt;/li&gt;
    &lt;/ul&gt;
  &lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;#verify-your-okta-xaa-setup-on-xaadev&quot;&gt;Verify your Okta XAA setup on xaa.dev&lt;/a&gt;
    &lt;ul&gt;
      &lt;li&gt;&lt;a href=&quot;#configure-saml-sso&quot;&gt;Configure SAML SSO&lt;/a&gt;&lt;/li&gt;
      &lt;li&gt;&lt;a href=&quot;#confirm-the-saml-assertion-exchange-for-a-refresh-token&quot;&gt;Confirm the SAML Assertion exchange for a refresh token&lt;/a&gt;&lt;/li&gt;
      &lt;li&gt;&lt;a href=&quot;#verify-the-refresh-token-exchange-for-an-id-jag-token&quot;&gt;Verify the refresh token exchange for an ID-JAG token&lt;/a&gt;&lt;/li&gt;
      &lt;li&gt;&lt;a href=&quot;#redeem-the-id-jag-for-an-access-token-at-the-resource-authorization-server&quot;&gt;Redeem the ID-JAG for an access token at the resource authorization server&lt;/a&gt;&lt;/li&gt;
      &lt;li&gt;&lt;a href=&quot;#call-the-resource-api-with-the-access-token&quot;&gt;Call the resource API with the access token&lt;/a&gt;&lt;/li&gt;
      &lt;li&gt;&lt;a href=&quot;#prove-the-xaa-connection-end-to-end&quot;&gt;Prove the XAA connection end-to-end&lt;/a&gt;&lt;/li&gt;
    &lt;/ul&gt;
  &lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;#takeaways-for-implementors-who-have-both-oidc-and-saml-apps&quot;&gt;Takeaways for implementors who have both OIDC and SAML apps&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;#learn-more-about-cross-app-access-saml-and-oauth-20&quot;&gt;Learn more about Cross App Access, SAML, and OAuth 2.0&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;h3 id=&quot;mapping-user-identity-in-the-saml-nameid-attribute&quot;&gt;Mapping user identity in the SAML &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;NameID&lt;/code&gt; attribute&lt;/h3&gt;

&lt;p&gt;Unlike OIDC apps, which typically resolve users from the &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;sub&lt;/code&gt; claim, SAML-federated apps do not have a corresponding &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;sub&lt;/code&gt; claim in their SAML assertion. Consequently, they often lack a direct way to map users without using the &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;sub_id&lt;/code&gt; field.&lt;/p&gt;

&lt;p&gt;You must compare every member of the &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;saml-nameid&lt;/code&gt; identifier used as a subject key for a given SAML issuer. Do not resolve based on the &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;NameID&lt;/code&gt; alone unless your local policy permits it.&lt;/p&gt;

&lt;p&gt;The &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;NameID&lt;/code&gt; field alone doesn’t uniquely identify a user, since two organizations could each have an employee named Alex Chen. This problem is analogous to resolving user uniqueness in multi-tenant applications.&lt;/p&gt;

&lt;p&gt;Resolve on &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;NameID&lt;/code&gt; + &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;sp_name_qualifier&lt;/code&gt; together; the combination of both fields provides the unique user identity required.&lt;/p&gt;

&lt;blockquote&gt;
  &lt;p&gt;⚠️ &lt;strong&gt;Note&lt;/strong&gt;&lt;/p&gt;

  &lt;p&gt;Don’t assume the &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;NameID&lt;/code&gt; is an email address; it is whatever the customer’s SSO emits. Your matching set must remain consistent across your deployment.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h3 id=&quot;validating-the-id-jag-and-resolving-the-user&quot;&gt;Validating the ID-JAG and resolving the user&lt;/h3&gt;

&lt;p&gt;The client posts the ID-JAG as a JWT authorization grant and authenticates with its credentials at your server. Below is an example HTTP request for requesting an &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;access_token&lt;/code&gt;&lt;/p&gt;

&lt;div class=&quot;language-http highlighter-rouge&quot;&gt;&lt;div class=&quot;highlight&quot;&gt;&lt;pre class=&quot;highlight&quot;&gt;&lt;code&gt;&lt;span class=&quot;nf&quot;&gt;POST&lt;/span&gt; &lt;span class=&quot;nn&quot;&gt;/oauth2/v1/token&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;HTTP&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;/&lt;/span&gt;&lt;span class=&quot;m&quot;&gt;1.1&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Host&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;s&quot;&gt;chat.example&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Authorization&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;s&quot;&gt;Basic &amp;lt;base64(client_id:client_secret)&amp;gt;&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Content-Type&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;s&quot;&gt;application/x-www-form-urlencoded&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;grant_type=urn&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;:&lt;/span&gt;&lt;span class=&quot;s&quot;&gt;ietf:params:oauth:grant-type:jwt-bearer&lt;/span&gt;
&lt;span class=&quot;s&quot;&gt;&amp;amp;assertion=eyJ0eXAiOiJvYXV0aC1pZC1qYWcrand0...&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;

&lt;p&gt;Before processing, you must bind the ID-JAG’s &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;iss&lt;/code&gt; to a registered SAML connection to prevent forgery.&lt;/p&gt;

&lt;p&gt;If you verify the signature before checking the issuer binding, an attacker could potentially create their own IdP, sign a token, and use your customer’s SAML issuer as the &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;sub_id&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;Always resolve the connection from the &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;iss&lt;/code&gt; first, then verify the signature against that connection’s key. You’ll compare this using the JSON Web Key Set (JWKS) metadata.&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;/assets-jekyll/blog/cross-app-access-saml/idjag-validation-order-690e0fac947f453792a7e365b3fa011b3fa58dbf447e0974c8923967598a93db.jpg&quot; alt=&quot;ID-JAG validation order&quot; width=&quot;800&quot; class=&quot;center-image&quot; /&gt;&lt;/p&gt;

&lt;p&gt;Below is the pseudocode for implementing the validation and resolving a user:&lt;/p&gt;

&lt;div class=&quot;language-python highlighter-rouge&quot;&gt;&lt;div class=&quot;highlight&quot;&gt;&lt;pre class=&quot;highlight&quot;&gt;&lt;code&gt;&lt;span class=&quot;n&quot;&gt;connections&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;{&lt;/span&gt;
  &lt;span class=&quot;s&quot;&gt;&quot;https://atko.okta.com&quot;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;{&lt;/span&gt;
    &lt;span class=&quot;n&quot;&gt;jwks&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;:&lt;/span&gt;            &lt;span class=&quot;s&quot;&gt;&quot;https://atko.okta.com/oauth2/v1/keys&quot;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt;
    &lt;span class=&quot;n&quot;&gt;samlIssuer&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;:&lt;/span&gt;      &lt;span class=&quot;s&quot;&gt;&quot;http://www.okta.com/exk1fcia8zMValiD0h8&quot;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt;
    &lt;span class=&quot;n&quot;&gt;spNameQualifier&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;s&quot;&gt;&quot;https://chat.example/saml/metadata&quot;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt;
  &lt;span class=&quot;p&quot;&gt;},&lt;/span&gt;
&lt;span class=&quot;p&quot;&gt;}&lt;/span&gt;

&lt;span class=&quot;n&quot;&gt;redeem&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;idJag&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;authenticatedClient&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;):&lt;/span&gt;
    &lt;span class=&quot;o&quot;&gt;//&lt;/span&gt; &lt;span class=&quot;mf&quot;&gt;1.&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;Bind&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;iss&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;to&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;a&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;connection&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;before&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;trusting&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;the&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;signature&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;.&lt;/span&gt;
    &lt;span class=&quot;n&quot;&gt;iss&lt;/span&gt;  &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;unverified_issuer&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;idJag&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt;
    &lt;span class=&quot;n&quot;&gt;conn&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;connections&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;[&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;iss&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;]&lt;/span&gt;
    &lt;span class=&quot;k&quot;&gt;if&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;conn&lt;/span&gt; &lt;span class=&quot;ow&quot;&gt;is&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;none&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;reject&lt;/span&gt; &lt;span class=&quot;s&quot;&gt;&quot;invalid_grant&quot;&lt;/span&gt;

    &lt;span class=&quot;o&quot;&gt;//&lt;/span&gt; &lt;span class=&quot;mf&quot;&gt;2.&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;Verify&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;signature&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;against&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;the&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;specific&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;issuers&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;JWKS&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;.&lt;/span&gt;
    &lt;span class=&quot;n&quot;&gt;payload&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;verify_jwt&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;idJag&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;jwks&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;conn&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;.&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;jwks&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt;
    &lt;span class=&quot;k&quot;&gt;if&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;payload&lt;/span&gt; &lt;span class=&quot;ow&quot;&gt;is&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;invalid&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;reject&lt;/span&gt; &lt;span class=&quot;s&quot;&gt;&quot;invalid_grant&quot;&lt;/span&gt;

    &lt;span class=&quot;o&quot;&gt;//&lt;/span&gt; &lt;span class=&quot;mi&quot;&gt;3&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;-&lt;/span&gt;&lt;span class=&quot;mf&quot;&gt;5.&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;Perform&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;remaining&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;checks&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;.&lt;/span&gt;
    &lt;span class=&quot;n&quot;&gt;require&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;payload&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;.&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;typ&lt;/span&gt;       &lt;span class=&quot;o&quot;&gt;==&lt;/span&gt; &lt;span class=&quot;s&quot;&gt;&quot;oauth-id-jag+jwt&quot;&lt;/span&gt;
    &lt;span class=&quot;n&quot;&gt;require&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;payload&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;.&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;aud&lt;/span&gt;       &lt;span class=&quot;o&quot;&gt;==&lt;/span&gt; &lt;span class=&quot;s&quot;&gt;&quot;resource_authorization_server_url&quot;&lt;/span&gt;
    &lt;span class=&quot;n&quot;&gt;require&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;payload&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;.&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;client_id&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;==&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;authenticatedClient&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;.&lt;/span&gt;&lt;span class=&quot;nb&quot;&gt;id&lt;/span&gt;

    &lt;span class=&quot;n&quot;&gt;user&lt;/span&gt;  &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;resolveSamlSubject&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;payload&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;.&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;sub_id&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;conn&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt;
    &lt;span class=&quot;n&quot;&gt;scope&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;applyScopePolicy&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;user&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;payload&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;.&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;scope&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt;
    &lt;span class=&quot;k&quot;&gt;return&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;issueAccessToken&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;user&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;scope&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt;

&lt;span class=&quot;n&quot;&gt;resolveSamlSubject&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;subId&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;conn&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;):&lt;/span&gt;
    &lt;span class=&quot;n&quot;&gt;require&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;subId&lt;/span&gt; &lt;span class=&quot;ow&quot;&gt;and&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;subId&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;.&lt;/span&gt;&lt;span class=&quot;nb&quot;&gt;format&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;==&lt;/span&gt; &lt;span class=&quot;s&quot;&gt;&quot;saml-nameid&quot;&lt;/span&gt;
    &lt;span class=&quot;n&quot;&gt;require&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;subId&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;.&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;issuer&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;==&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;conn&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;.&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;samlIssuer&lt;/span&gt;
    &lt;span class=&quot;n&quot;&gt;require&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;subId&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;.&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;sp_name_qualifier&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;==&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;conn&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;.&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;spNameQualifier&lt;/span&gt;

    &lt;span class=&quot;n&quot;&gt;user&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;lookup_user_by_saml_nameid&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;subId&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;.&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;issuer&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;subId&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;.&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;nameid&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;subId&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;.&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;sp_name_qualifier&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt;
    &lt;span class=&quot;k&quot;&gt;if&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;user&lt;/span&gt; &lt;span class=&quot;ow&quot;&gt;is&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;none&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;reject&lt;/span&gt; &lt;span class=&quot;s&quot;&gt;&quot;invalid_grant&quot;&lt;/span&gt;
    &lt;span class=&quot;k&quot;&gt;return&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;user&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;

&lt;h3 id=&quot;issuing-the-access-token&quot;&gt;Issuing the access token&lt;/h3&gt;

&lt;p&gt;Once you resolve the user, issue an &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;access_token&lt;/code&gt; scoped according to your local policy. Below is an example of an &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;access_token&lt;/code&gt; returned after successfully validating the ID-JAG and resolving the user.&lt;/p&gt;

&lt;div class=&quot;language-http highlighter-rouge&quot;&gt;&lt;div class=&quot;highlight&quot;&gt;&lt;pre class=&quot;highlight&quot;&gt;&lt;code&gt;&lt;span class=&quot;k&quot;&gt;HTTP&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;/&lt;/span&gt;&lt;span class=&quot;m&quot;&gt;1.1&lt;/span&gt; &lt;span class=&quot;m&quot;&gt;200&lt;/span&gt; &lt;span class=&quot;ne&quot;&gt;OK&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Content-Type&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;s&quot;&gt;application/json;charset=UTF-8&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Cache-Control&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;s&quot;&gt;no-store&lt;/span&gt;

&lt;span class=&quot;p&quot;&gt;{&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
  &lt;/span&gt;&lt;span class=&quot;nl&quot;&gt;&quot;token_type&quot;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;:&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&quot;Bearer&quot;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
  &lt;/span&gt;&lt;span class=&quot;nl&quot;&gt;&quot;access_token&quot;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;:&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&quot;2YotnFZFEjr1zCsicMWpAA&quot;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
  &lt;/span&gt;&lt;span class=&quot;nl&quot;&gt;&quot;expires_in&quot;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;:&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;mi&quot;&gt;86400&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
  &lt;/span&gt;&lt;span class=&quot;nl&quot;&gt;&quot;scope&quot;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;:&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&quot;chat:read chat:write&quot;&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;}&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;

&lt;blockquote&gt;
  &lt;p&gt;⚠️ &lt;strong&gt;Note&lt;/strong&gt;&lt;/p&gt;

  &lt;p&gt;Do not issue a refresh token. If your authorization server issues a refresh token, the client has durable access to your resource server, and the IdP cannot revoke access.&lt;/p&gt;

  &lt;p&gt;The ID-JAG replaces the need for a refresh token. On access token expiry, the client resubmits the same ID-JAG to your token endpoint, and you mint a new access token against it. Only once the ID-JAG itself expires does the client request a new ID-JAG from the IdP using its own refresh token.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h3 id=&quot;updating-authorization-server-metadata&quot;&gt;Updating authorization server metadata&lt;/h3&gt;

&lt;p&gt;Clients locate your XAA support via your authorization server metadata (&lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;/.well-known/oauth-authorization-server&lt;/code&gt;). Ensure you include the supported fields:&lt;/p&gt;

&lt;div class=&quot;language-json highlighter-rouge&quot;&gt;&lt;div class=&quot;highlight&quot;&gt;&lt;pre class=&quot;highlight&quot;&gt;&lt;code&gt;&lt;span class=&quot;p&quot;&gt;{&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
  &lt;/span&gt;&lt;span class=&quot;nl&quot;&gt;&quot;issuer&quot;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;:&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&quot;https://chat.example&quot;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
  &lt;/span&gt;&lt;span class=&quot;nl&quot;&gt;&quot;token_endpoint&quot;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;:&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&quot;https://auth.chat.example/oauth2/v1/token&quot;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
  &lt;/span&gt;&lt;span class=&quot;nl&quot;&gt;&quot;grant_types_supported&quot;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;:&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;p&quot;&gt;[&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
    &lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&quot;urn:ietf:params:oauth:grant-type:jwt-bearer&quot;&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
  &lt;/span&gt;&lt;span class=&quot;p&quot;&gt;],&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
  &lt;/span&gt;&lt;span class=&quot;nl&quot;&gt;&quot;authorization_grant_profiles_supported&quot;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;:&lt;/span&gt;&lt;span class=&quot;w&quot;&gt; &lt;/span&gt;&lt;span class=&quot;p&quot;&gt;[&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
    &lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&quot;urn:ietf:params:oauth:grant-profile:id-jag&quot;&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
  &lt;/span&gt;&lt;span class=&quot;p&quot;&gt;]&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;}&lt;/span&gt;&lt;span class=&quot;w&quot;&gt;
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;

&lt;h2 id=&quot;making-cross-application-requests-from-your-saml-app-securely&quot;&gt;Making cross-application requests from your SAML app securely&lt;/h2&gt;

&lt;p&gt;With these five steps complete, your SAML application is configured for Cross App Access. Agents can now authorize requests against your API while maintaining your existing production federation, eliminating the need for protocol migration.&lt;/p&gt;

&lt;p&gt;You can now use Okta to make cross-application requests with your SAML app.&lt;/p&gt;

&lt;h2 id=&quot;configure-your-xaa-saml-app-in-okta&quot;&gt;Configure your XAA SAML App in Okta&lt;/h2&gt;

&lt;p&gt;Let’s test your SAML application in Okta. Before you begin, you’ll need some configuration values from the xaa.dev site.&lt;/p&gt;

&lt;p&gt;Navigate to &lt;a href=&quot;https://xaa.dev/developer/test-resource?tab=saml-okta&quot;&gt;https://xaa.dev/developer/test-resource?tab=saml-okta&lt;/a&gt;. You’ll need two values, the &lt;strong&gt;Single Sign-On URL&lt;/strong&gt; – this is the Assertion Consumer Service (ACS) URL – and the &lt;strong&gt;Audience URI (SP Entity ID)&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;Keep this site open in your browser; you’ll return to it throughout the setup.&lt;/p&gt;

&lt;h3 id=&quot;create-the-saml-20-app-in-okta&quot;&gt;Create the SAML 2.0 app in Okta&lt;/h3&gt;

&lt;p&gt;Before you begin this step, you’ll need an Okta Integrator Free Plan account. &lt;a href=&quot;https://developer.okta.com/signup/&quot;&gt;Sign up for a new account&lt;/a&gt; to test out the XAA features.&lt;/p&gt;

&lt;p&gt;Cross App Access is an early access feature in Okta. New Integrator Free Plan account types include XAA support. If you have a paid Okta org plan and the following options are missing, contact your representative.&lt;/p&gt;

&lt;p&gt;Sign in to your Integrator Free Plan org and open the &lt;strong&gt;Admin Console&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;Enable AI Agent Identity Assertion:&lt;/p&gt;
&lt;ol&gt;
  &lt;li&gt;Navigate to &lt;strong&gt;Settings &amp;gt; Features &amp;gt; Early Access&lt;/strong&gt;&lt;/li&gt;
  &lt;li&gt;Find &lt;strong&gt;AI Agent Identity Assertion&lt;/strong&gt; and &lt;strong&gt;Agent to Agent Connections&lt;/strong&gt;, and enable both&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;You’ll need an Okta application representing your requesting and resource apps.&lt;/p&gt;

&lt;p&gt;If you don’t have Okta SAML 2.0 applications representing your requesting and resource apps, you’ll need to create them. Create Okta SAML 2.0 applications by following these instructions.&lt;/p&gt;

&lt;p&gt;Navigate to &lt;strong&gt;Applications &amp;gt; Applications&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;Select &lt;strong&gt;Create App Integration&lt;/strong&gt;. In the &lt;strong&gt;Create a new app integration&lt;/strong&gt; modal, select &lt;strong&gt;SAML 2.0&lt;/strong&gt; and press &lt;strong&gt;Next&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;In &lt;strong&gt;General Settings&lt;/strong&gt;:&lt;/p&gt;
&lt;ol&gt;
  &lt;li&gt;&lt;strong&gt;App name&lt;/strong&gt;: Enter a descriptive name for the app, for example, “Test Requesting App” or “Resource App”&lt;/li&gt;
  &lt;li&gt;Press &lt;strong&gt;Next&lt;/strong&gt; to continue&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;In &lt;strong&gt;Configure SAML&lt;/strong&gt;:&lt;/p&gt;
&lt;ol&gt;
  &lt;li&gt;&lt;strong&gt;Single sign-on URL&lt;/strong&gt;: Use the ACS URL of your requestor or resource app, e.g., “https://idp.xaa.dev/saml-requester/acs”&lt;/li&gt;
  &lt;li&gt;&lt;strong&gt;Audience URI (SP Entity ID)&lt;/strong&gt;: Use the SP Entity of your requestor or resource app, e.g., “https://idp.xaa.dev/saml-requester/metadata”&lt;/li&gt;
  &lt;li&gt;&lt;strong&gt;Name ID format&lt;/strong&gt;: select &lt;strong&gt;EmailAddress&lt;/strong&gt;&lt;/li&gt;
  &lt;li&gt;&lt;strong&gt;Application username&lt;/strong&gt;: select &lt;strong&gt;Email&lt;/strong&gt;&lt;/li&gt;
  &lt;li&gt;&lt;strong&gt;Update application username on&lt;/strong&gt;: select &lt;strong&gt;Create and update&lt;/strong&gt;&lt;/li&gt;
  &lt;li&gt;Press &lt;strong&gt;Next&lt;/strong&gt; to continue&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Press &lt;strong&gt;Finish&lt;/strong&gt; to create the Okta SAML 2.0 application.&lt;/p&gt;

&lt;p&gt;After creating the app, you’ll see more configuration options for your Okta SAML 2.0 app. You’ll make changes in more than one tab.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Sign On configuration&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Select the &lt;strong&gt;Sign On&lt;/strong&gt; tab. Locate the Metadata URL field and press Copy to save it to your clipboard. You’ll paste this URL to the SAML app metadata URL field in &lt;a href=&quot;https://xaa.dev/developer/test-resource?tab=saml-okta&quot;&gt;xaa.dev&lt;/a&gt; and save.&lt;/p&gt;

&lt;p&gt;Your SSO endpoint and Token endpoint are automatically configured.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Assignments configuration&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Navigate to the &lt;strong&gt;Assignments&lt;/strong&gt; tab and make the following configuration changes:&lt;/p&gt;
&lt;ol&gt;
  &lt;li&gt;Select &lt;strong&gt;Assign &amp;gt; Assign to People&lt;/strong&gt;&lt;/li&gt;
  &lt;li&gt;Search for your test user and select &lt;strong&gt;Assign&lt;/strong&gt;&lt;/li&gt;
  &lt;li&gt;Press &lt;strong&gt;Save and Go Back&lt;/strong&gt;, then select &lt;strong&gt;Done&lt;/strong&gt;&lt;/li&gt;
&lt;/ol&gt;

&lt;blockquote&gt;
  &lt;p&gt;&lt;strong&gt;Note&lt;/strong&gt;&lt;/p&gt;

  &lt;p&gt;If you don’t have a SAML 2.0 application representing the resource app, you will need to create one with the same steps above. However, there’s an extra configuration step for resource apps to enable XAA. Ensure your resource apps have XAA enabled. Don’t set the configuration for requesting apps.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;&lt;strong&gt;Resource Server extra configuration&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Navigate to the &lt;strong&gt;Resource Server&lt;/strong&gt; tab and make the following configuration changes:&lt;/p&gt;

&lt;ol&gt;
  &lt;li&gt;Select &lt;strong&gt;Enable XAA&lt;/strong&gt;&lt;/li&gt;
  &lt;li&gt;&lt;strong&gt;Issuer URL&lt;/strong&gt;: Use your resource authorization server issuer URL. This value becomes the &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;aud&lt;/code&gt; claim in the ID-JAG and cannot change without deleting and resetting the connection.&lt;/li&gt;
&lt;/ol&gt;

&lt;h3 id=&quot;register-and-configure-the-ai-agent-in-okta&quot;&gt;Register and configure the AI Agent in Okta&lt;/h3&gt;

&lt;p&gt;With your Okta SAML 2.0 requesting app configured, register a new AI Agent in Okta. The AI Agent configuration represents the relationship between the Okta SAML 2.0 app you created and your MCP Resource Application. You’ll configure credentials, add your requesting app as a delegated caller, and connect your MCP resource app as a Resource Connection.&lt;/p&gt;

&lt;p&gt;In the Okta &lt;strong&gt;Admin Console&lt;/strong&gt;:&lt;/p&gt;

&lt;ol&gt;
  &lt;li&gt;Navigate to &lt;strong&gt;Directory &amp;gt; AI Agents&lt;/strong&gt;&lt;/li&gt;
  &lt;li&gt;Select &lt;strong&gt;Register AI Agent &amp;gt; Register Manually&lt;/strong&gt;&lt;/li&gt;
  &lt;li&gt;Enter a &lt;strong&gt;Name&lt;/strong&gt;, e.g., “Requesting Agent”&lt;/li&gt;
  &lt;li&gt;Select Register&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Select the AI Agent you just created to open its configuration. Configure the agent across the following tabs:&lt;/p&gt;

&lt;ol&gt;
  &lt;li&gt;On the &lt;strong&gt;Owners&lt;/strong&gt; tab
    &lt;ol&gt;
      &lt;li&gt;Select &lt;strong&gt;Assign individual owners&lt;/strong&gt;&lt;/li&gt;
      &lt;li&gt;Search for and add yourself as an owner&lt;/li&gt;
      &lt;li&gt;Press &lt;strong&gt;Save&lt;/strong&gt;&lt;/li&gt;
    &lt;/ol&gt;
  &lt;/li&gt;
  &lt;li&gt;On the &lt;strong&gt;Credentials&lt;/strong&gt; tab (select on the &lt;strong&gt;Requesting Agent&lt;/strong&gt; to see this tab)
    &lt;ol&gt;
      &lt;li&gt;Copy the &lt;strong&gt;AI agent ID&lt;/strong&gt;&lt;/li&gt;
      &lt;li&gt;Open the &lt;a href=&quot;xaa.dev&quot;&gt;xaa.dev&lt;/a&gt; site to add the&lt;strong&gt;AI agent ID&lt;/strong&gt; value as the &lt;strong&gt;Client ID&lt;/strong&gt; and save&lt;/li&gt;
      &lt;li&gt;Back in Okta, select the &lt;strong&gt;Add Public Key&lt;/strong&gt;, and then press &lt;strong&gt;Generate new key&lt;/strong&gt;. Okta generates a key pair and displays the private key. Under &lt;strong&gt;PEM&lt;/strong&gt;, press &lt;strong&gt;Copy to clipboard&lt;/strong&gt; and store the key safely. You’ll paste this private key into the &lt;strong&gt;Private key (PKCS8 PEM or private JWK)&lt;/strong&gt; field in &lt;a href=&quot;xaa.dev&quot;&gt;xaa.dev&lt;/a&gt; and save.&lt;/li&gt;
    &lt;/ol&gt;
  &lt;/li&gt;
  &lt;li&gt;On the &lt;strong&gt;Delegations&lt;/strong&gt; tab
    &lt;ol&gt;
      &lt;li&gt;Select &lt;strong&gt;Add Caller&lt;/strong&gt;&lt;/li&gt;
      &lt;li&gt;Search for the newly created Okta SAML requesting app&lt;/li&gt;
      &lt;li&gt;Select &lt;strong&gt;Add Caller&lt;/strong&gt; to confirm&lt;/li&gt;
    &lt;/ol&gt;
  &lt;/li&gt;
  &lt;li&gt;On the &lt;strong&gt;Resource Connections&lt;/strong&gt; tab
    &lt;ol&gt;
      &lt;li&gt;Select &lt;strong&gt;Add Resource Connection&lt;/strong&gt;. Under the &lt;strong&gt;Resource&lt;/strong&gt; section, select &lt;strong&gt;Application&lt;/strong&gt; as the &lt;strong&gt;resource type&lt;/strong&gt;.
        &lt;ol&gt;
          &lt;li&gt;Under the &lt;strong&gt;Application&lt;/strong&gt; section, choose your &lt;strong&gt;Application&lt;/strong&gt; instance – MCP (Resource App) – from the dropdown menu and paste the &lt;strong&gt;Client ID&lt;/strong&gt; at the &lt;strong&gt;Resource Authorization Server&lt;/strong&gt;.&lt;/li&gt;
        &lt;/ol&gt;
      &lt;/li&gt;
      &lt;li&gt;Under &lt;strong&gt;Scope Condition&lt;/strong&gt;, select &lt;strong&gt;Allow all&lt;/strong&gt;&lt;/li&gt;
    &lt;/ol&gt;
  &lt;/li&gt;
  &lt;li&gt;Activate the agent
    &lt;ol&gt;
      &lt;li&gt;Select the three dots (the kebab menu), to display options&lt;/li&gt;
    &lt;/ol&gt;
  &lt;/li&gt;
  &lt;li&gt;In the drop-down menu, select &lt;strong&gt;Activate&lt;/strong&gt;&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Confirm the AI Agent configuration is complete. All checkmarks on the agent configuration page must be green.&lt;/p&gt;

&lt;h2 id=&quot;verify-your-okta-xaa-setup-on-xaadev&quot;&gt;Verify your Okta XAA setup on xaa.dev&lt;/h2&gt;

&lt;p&gt;Before we get to the next section, make sure you have the resource app URL in the resource authorization issuer (ID-JAG audience).  By this point, you’ll have every value from the checklist and your one-time Okta setup in place (AI Agent, credentials, owner, delegation, and resource connection), so we’ll add the values from Okta and the apps to walk through the flow step by step, one button per step.&lt;/p&gt;

&lt;p&gt;The screenshot below shows the SAML configuration values step on xaa.dev.&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;/assets-jekyll/blog/cross-app-access-saml/xaadev-sso-e88a55e57ea2013d843abf011c4ea15ed2f86320a141ff5590156265489ae483.jpg&quot; alt=&quot;Register and test a SAML resource app form values to establish a SAML client.&quot; width=&quot;800&quot; class=&quot;center-image&quot; /&gt;&lt;/p&gt;

&lt;h3 id=&quot;configure-saml-sso&quot;&gt;Configure SAML SSO&lt;/h3&gt;

&lt;p&gt;Press &lt;strong&gt;Start SAML login at your IdP&lt;/strong&gt; and complete the login in the pop-up.&lt;/p&gt;

&lt;p&gt;When it closes, the step turns green and shows a &lt;strong&gt;✓ Auto-discovered SSO&lt;/strong&gt; endpoint, confirming that the tester resolved the real &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;.../sso/saml&lt;/code&gt; endpoint from your metadata and returned a signed SAML assertion.&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;/assets-jekyll/blog/cross-app-access-saml/xaadev-saml-sso-response-e85f7a897abc9bb1ed9dccd52ae40345911c9e3212b7218ee622f2b79011eecd.jpg&quot; alt=&quot;SAML SSO code request to initiate login through your IdP.&quot; width=&quot;800&quot; class=&quot;center-image&quot; /&gt;&lt;/p&gt;

&lt;h3 id=&quot;confirm-the-saml-assertion-exchange-for-a-refresh-token&quot;&gt;Confirm the SAML Assertion exchange for a refresh token&lt;/h3&gt;

&lt;p&gt;Press &lt;strong&gt;Exchange assertion for refresh token&lt;/strong&gt;. The tester posts the signed assertion to your IdP’s token endpoint, using &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;private_key_jwt&lt;/code&gt; authentication. A 200 means the identity provider accepted the assertion, and you now hold an opaque refresh token.&lt;/p&gt;

&lt;h3 id=&quot;verify-the-refresh-token-exchange-for-an-id-jag-token&quot;&gt;Verify the refresh token exchange for an ID-JAG token&lt;/h3&gt;

&lt;p&gt;Press &lt;strong&gt;Exchange refresh token for ID-JAG&lt;/strong&gt;. This action returns a decoded ID-JAG. Take a second to review it: &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;aud&lt;/code&gt; should equal your Resource authorization issuer, and &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;sub_id&lt;/code&gt; should contain the SAML NameID of the user who logged in. The Resource authorization server then validates this token. A 200 OK indicates that the step succeeded.&lt;/p&gt;

&lt;h3 id=&quot;redeem-the-id-jag-for-an-access-token-at-the-resource-authorization-server&quot;&gt;Redeem the ID-JAG for an access token at the resource authorization server&lt;/h3&gt;

&lt;ul&gt;
  &lt;li&gt;Fill in your Resource AS token endpoint&lt;/li&gt;
  &lt;li&gt;Client ID and client secret of the resource app from the Resource Authorization Server&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Press &lt;strong&gt;Redeem&lt;/strong&gt; (&lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;grant_type=jwt-bearer&lt;/code&gt;). If the request succeeds, you’ll receive a &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;200 OK&lt;/code&gt; response with an access token. Inspect the token in the &lt;strong&gt;Token&lt;/strong&gt; tab to verify that the&lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;iss&lt;/code&gt;, &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;aud&lt;/code&gt;, and &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;scope&lt;/code&gt; claims match the values configured in your resource authorization server. This validation confirms that the authorization server accepted the ID-JAG and issued its own access token.&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;/assets-jekyll/blog/cross-app-access-saml/redeem-id-jag-8042660d2adc24648d1d2ddf5c6f8bd5b44e94da74263748e38309590bfc58de.jpg&quot; alt=&quot;Redeem-ID-JAG at your Resource Authorization Server screen, showing a successful execution with a 200 OK code.&quot; width=&quot;800&quot; class=&quot;center-image&quot; /&gt;&lt;/p&gt;

&lt;h3 id=&quot;call-the-resource-api-with-the-access-token&quot;&gt;Call the resource API with the access token&lt;/h3&gt;

&lt;p&gt;Select the request method and enter your API URL (The &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;Authorization: Bearer&lt;/code&gt; header is added automatically, but you can add any other headers or a request body as needed), then press &lt;strong&gt;Send GET Request&lt;/strong&gt;. A 200 response from your endpoint is the final proof: your API accepts the access token generated by the ID-JAG exchange.&lt;/p&gt;

&lt;h3 id=&quot;prove-the-xaa-connection-end-to-end&quot;&gt;Prove the XAA connection end-to-end&lt;/h3&gt;

&lt;p&gt;A green &lt;strong&gt;Conformance passed&lt;/strong&gt; panel appears. Select &lt;strong&gt;Export conformance log (JSON)&lt;/strong&gt; to download the test results. The export includes the signed ID-JAG, the access token returned by your resource authorization server, and the API response.&lt;/p&gt;

&lt;p&gt;You can share this file with your IdP as proof that the Cross App Access integration works successfully.&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;/assets-jekyll/blog/cross-app-access-saml/xaadev-conformance-97204405c2e72d134fec8e2ac9cca894236bcb2142508a3f8457814baf323967.jpg&quot; alt=&quot;Conformance passed. Export your proof. A button allows exporting a conformance log in JSON format.&quot; width=&quot;800&quot; class=&quot;center-image&quot; /&gt;&lt;/p&gt;

&lt;h2 id=&quot;takeaways-for-implementors-who-have-both-oidc-and-saml-apps&quot;&gt;Takeaways for implementors who have both OIDC and SAML apps&lt;/h2&gt;

&lt;p&gt;If you have already implemented XAA in your OIDC apps, here’s a quick checklist to convert your SAML apps:&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;The subject comes from &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;sub_id&lt;/code&gt; in &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;saml-nameid&lt;/code&gt; format, rather than &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;sub&lt;/code&gt;&lt;/li&gt;
  &lt;li&gt;Match on every &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;saml-nameid&lt;/code&gt; member (&lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;issuer&lt;/code&gt; + &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;NameID&lt;/code&gt; + &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;sp_name_qualifier&lt;/code&gt;), rather than just &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;iss&lt;/code&gt; and &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;sub&lt;/code&gt;&lt;/li&gt;
  &lt;li&gt;Everything else, including token issuance rules and redemption checks, remains as is&lt;/li&gt;
&lt;/ul&gt;

&lt;h2 id=&quot;learn-more-about-cross-app-access-saml-and-oauth-20&quot;&gt;Learn more about Cross App Access, SAML, and OAuth 2.0&lt;/h2&gt;

&lt;p&gt;If this guide helped you implement Cross App Access with SAML, explore these resources:&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;📘 &lt;a href=&quot;https://help.okta.com/oie/en-us/content/topics/apps/apps-cross-app-access.htm&quot;&gt;Cross App Access Documentation&lt;/a&gt;: Official guides for configuring and managing Cross App Access in production.&lt;/li&gt;
  &lt;li&gt;🎙️ &lt;a href=&quot;https://www.youtube.com/watch?v=qKs4k5Y1x_s&quot;&gt;Developer Podcast on MCP and Cross App Access&lt;/a&gt;: Hear the backstory, use cases, and why this matters for developers.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Identity 101:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;&lt;a href=&quot;https://www.okta.com/identity-101/whats-the-difference-between-oauth-openid-connect-and-saml/&quot;&gt;What’s the Difference Between OAuth, OpenID Connect, and SAML?&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://www.okta.com/en-in/identity-101/saml-vs-oauth/&quot;&gt;What are SAML, OAuth, and OIDC?&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://www.okta.com/identity-101/why-you-should-migrate-to-oauth-2-0-from-static-api-tokens/&quot;&gt;Why You Should Migrate to OAuth 2.0 From Static API Tokens&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;/blog/2023/07/27/enterprise-ready-getting-started&quot;&gt;How to Get Going with the On-Demand SaaS Apps Workshops&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Follow us on &lt;a href=&quot;https://www.linkedin.com/company/oktadev&quot;&gt;LinkedIn&lt;/a&gt; and &lt;a href=&quot;https://x.com/oktadev&quot;&gt;X&lt;/a&gt;, and subscribe to our &lt;a href=&quot;https://www.youtube.com/c/OktaDev/&quot;&gt;YouTube&lt;/a&gt; channel. Leave a comment below if you have any questions!&lt;/p&gt;
</description>
        <pubDate>Fri, 03 Jul 2026 00:00:00 -0500</pubDate>
        <link>https://developer.okta.com/blog/2026/07/03/cross-app-access-saml</link>
        <guid isPermaLink="true">https://developer.okta.com/blog/2026/07/03/cross-app-access-saml</guid>
      </item>
    
      <item>
        <title>The Builder Revolution: Why We're Shifting to Builder Advocacy</title>
        <description>&lt;p&gt;My team has officially changed its name, and it’s one I’ve been excited about for a while.&lt;/p&gt;

&lt;p&gt;My team is now Builder Advocacy, and our organization is now Builder Experience (BX). We were previously known as Developer Advocacy and Developer Success, respectively.&lt;/p&gt;

&lt;p&gt;On the surface, it might look like a simple rebranding. But it’s not. It’s a recognition of something that’s been happening in our industry for a while and has accelerated dramatically recently with this understanding: the definition of who builds things with technology has fundamentally changed.&lt;/p&gt;

&lt;h2 id=&quot;the-builder-revolution-is-already-here&quot;&gt;The builder revolution is already here&lt;/h2&gt;

&lt;p&gt;For most of computing history, “developer” meant someone who wrote code; they were someone who knew a language, understood a framework, and could navigate a terminal.&lt;/p&gt;

&lt;p&gt;That world has changed.&lt;/p&gt;

&lt;p&gt;According to the &lt;a href=&quot;https://github.blog/news-insights/octoverse/octoverse-a-new-developer-joins-github-every-second-as-ai-leads-typescript-to-1/&quot;&gt;GitHub Octoverse 2025 report&lt;/a&gt;, GitHub now has over 180 million developers, with more than one new developer joining every single second. In 2025 alone, 36 million new developers joined the platform, a 23% year-over-year increase. There are now 4.3 million AI-related repositories on GitHub, nearly double the number in 2023, and monthly contributions to AI projects reached approximately 6 million in August 2025, up 188% year over year. Nearly 80% of new developers on GitHub use GitHub Copilot within their first week.&lt;/p&gt;

&lt;p&gt;Meanwhile, the &lt;a href=&quot;https://survey.stackoverflow.co/2025/&quot;&gt;Stack Overflow Developer Survey 2025&lt;/a&gt; found that 84% of respondents are currently using or plan to use AI tools in their development work, up from 76% just a year earlier. Nearly half of all developers now use AI tools daily.&lt;/p&gt;

&lt;p&gt;AI is already part of the workflow for the majority of people building technology.&lt;/p&gt;

&lt;p&gt;But here’s the part that really matters: AI hasn’t just made developers more productive. It has dramatically expanded who can build in the first place.&lt;/p&gt;

&lt;h2 id=&quot;a-new-kind-of-builder&quot;&gt;A new kind of builder&lt;/h2&gt;

&lt;p&gt;Think about who else is building today, beyond traditional developers:&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;The product manager who spins up an AI agent to automate their team’s weekly reporting.&lt;/li&gt;
  &lt;li&gt;The marketing operations analyst who connects APIs through a workflow tool like Zapier without writing a single line of code.&lt;/li&gt;
  &lt;li&gt;The IT admin who builds a customer-facing chatbot using a low-code platform in an afternoon.&lt;/li&gt;
  &lt;li&gt;The entrepreneur who vibe-codes their MVP with the help of a large language model (LLM), deploying something that would have taken a full engineering team six months just five years ago.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;These people are builders. They may not call themselves developers. They may not have a degree in computer science or formal education in software. But they are creating real, production-level experiences that real users depend on, and they deserve the same quality of advocacy and support that we’ve historically directed at developers.&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;https://developers.hubspot.com/blog&quot;&gt;HubSpot&lt;/a&gt; has begun distinguishing “builders” as a specific user persona: those who manage automations, middleware, and integrations, recognizing that the people building on their platform aren’t always traditional developers. &lt;a href=&quot;https://reinvent.awsevents.com/&quot;&gt;AWS&lt;/a&gt; has long referred to its community as “builders,” a term that appears throughout their re:Invent programming, documentation, and community initiatives. &lt;a href=&quot;https://trailhead.salesforce.com/trailblazer-community&quot;&gt;Salesforce’s legendary Trailblazer community&lt;/a&gt; has expanded to embrace AI builders alongside traditional admins and developers as agentic AI becomes central to their platform. Google took this a step further in April 2026 by &lt;a href=&quot;https://cloud.google.com/blog/topics/developers-practitioners/introducing-the-builders-hub-from-the-google-developer-program&quot;&gt;launching the Builders Hub&lt;/a&gt; through their Developer Program, even moving the URL to &lt;a href=&quot;https://builders.google&quot;&gt;builders.google&lt;/a&gt;. Google is explicitly designed for “vibe coders, AI builders, and professional developers” alike. These are not coincidences. They are signals of a broader industry shift in how we think about the people who build with our platforms.&lt;/p&gt;

&lt;h2 id=&quot;what-builder-advocacy-means&quot;&gt;What builder advocacy means&lt;/h2&gt;

&lt;p&gt;With this name change, my team is committing — a commitment to showing up for all three types of builders we serve:&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;Developers: traditional coders, engineers, and architects who have always been our core audience. They’re not going anywhere, and neither is our dedication to them.&lt;/li&gt;
  &lt;li&gt;AI Builders: prompt engineers, LLM integrators, AI agent creators, and machine learning (ML) practitioners who are building the next generation of intelligent systems. This community is growing at a pace we’ve never seen before.&lt;/li&gt;
  &lt;li&gt;Automators: no-code and low-code builders who connect systems, design workflows, and create value without traditional programming. They are increasingly building mission-critical infrastructure, and they deserve advocacy, documentation, and tooling that treats them as first-class citizens.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;With these name changes — from Developer Success to Builder Experience (BX), and from Developer Advocacy to Builder Advocacy — our team is saying clearly: We see all of you. We are here for all of you.&lt;/p&gt;

&lt;h2 id=&quot;ai-made-its-impact-its-not-going-away&quot;&gt;AI made its impact. It’s not going away&lt;/h2&gt;

&lt;p&gt;Some name changes are cosmetic. This one isn’t.&lt;/p&gt;

&lt;p&gt;The community building with AI isn’t concentrated in a few zip codes anymore. It is global, diverse, and growing in ways that don’t fit neatly into the old categories.&lt;/p&gt;

&lt;p&gt;The &lt;a href=&quot;https://survey.stackoverflow.co/2025/&quot;&gt;Stack Overflow Developer Survey 2025&lt;/a&gt; found that 84% of developers are now using or planning to use AI tools. Among those using AI agents, roughly 70% say agents boosted their productivity and reduced task time. The tools are proving their value in the workflow, not just in the demo.&lt;/p&gt;

&lt;p&gt;That’s the community I want to be part of. That’s the community I want to advocate for.&lt;/p&gt;

&lt;h2 id=&quot;whats-next-for-builders&quot;&gt;What’s next for builders&lt;/h2&gt;

&lt;p&gt;This name change is effective today, but it’s really the beginning of a larger journey. Our Builder Experience organization is investing in resources, content, and community programs that serve the full spectrum of builders: from the seasoned backend engineer to the AI tinkerer to the automation-first operator.&lt;/p&gt;

&lt;p&gt;And here’s what hasn’t changed. You can still find us where you always have:&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;For documentation, visit our &lt;a href=&quot;https://developer.okta.com/docs/&quot;&gt;developer docs&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;For support, head to our &lt;a href=&quot;https://devforum.okta.com/&quot;&gt;developer forum&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;For helpful videos, visit our &lt;a href=&quot;https://www.youtube.com/c/OktaDev/&quot;&gt;YouTube channel&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;On social media, follow us on our &lt;a href=&quot;https://www.linkedin.com/company/oktadev&quot;&gt;LinkedIn page&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;If you build — whatever that means to you — we’re here for you.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Welcome to Builder Advocacy.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Remember to follow us on &lt;a href=&quot;https://x.com/oktadev&quot;&gt;X&lt;/a&gt; and subscribe to our &lt;a href=&quot;https://www.youtube.com/c/OktaDev/&quot;&gt;YouTube channel&lt;/a&gt; for more exciting content. We also want to hear from you about the topics you’d like to see and any questions you may have. Leave us a comment below!&lt;/p&gt;
</description>
        <pubDate>Tue, 30 Jun 2026 00:00:00 -0500</pubDate>
        <link>https://developer.okta.com/blog/2026/06/30/builder-revolution</link>
        <guid isPermaLink="true">https://developer.okta.com/blog/2026/06/30/builder-revolution</guid>
      </item>
    
      <item>
        <title>How Verifiable Digital Credentials Are Reshaping Trust Architecture</title>
        <description>&lt;p&gt;The identity stack is getting a new layer, and it’s already in your users’ pockets. Mobile driver’s licenses are live in dozens of U.S. states. The EU is mandating digital identity wallets for hundreds of millions of citizens. Apple Wallet and Google Wallet already hold government-issued credentials. Yet most development teams are not building for it.&lt;/p&gt;

&lt;p&gt;The layer is called Verifiable Digital Credentials. The issuer infrastructure is already live, with wallets deployed and standards stable. The industry’s verifier-side adoption is still catching up, and that’s where we’re focusing our engineering work right now.&lt;/p&gt;

&lt;p&gt;For years, when applications needed to verify a user’s age, license, or employment status, the default methods were document uploads, third-party verification APIs, and centralized storage of personally identifiable information (PII). It worked. But it accumulated cost at every step: data your infrastructure had to protect, compliance obligations that grew with every sensitive record, manual review queues that created friction, and third-party vendors holding your users’ identity data on your behalf.&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;/assets-jekyll/blog/verifiable-digital-credentials/image0-cdff3ac0d51b5503ad25f9bc7f02465a951b98b7c780741b3d65db2c2d5f1a83.jpg&quot; width=&quot;800&quot; alt=&quot;blog/verifiable-digital-credentials/image0.jpg&quot; class=&quot;center-image&quot; /&gt;&lt;/p&gt;

&lt;p&gt;VDCs replace that model. A trusted authority, such as a DMV, a university, or an employer, issues a cryptographically signed credential. The user holds it in a wallet. Your application requests the specific proof it needs. The credential validates itself. You record the outcome and move on. No document stored. No PII beyond what the transaction required. No third party in the middle.&lt;/p&gt;

&lt;p&gt;The technical foundation relies on the &lt;strong&gt;Issuer-Holder-Verifier trust triangle&lt;/strong&gt;: the Issuer signs the credential, the Holder stores it in a digital wallet, and the Verifier, your application, requests exactly the proof it needs. This model enables selective disclosure, where a verifier can confirm a person meets an age threshold without ever seeing their date of birth, home address, or a photo of their physical ID. By moving from document collection to claim validation, you eliminate manual review queues and dramatically reduce the personal data your infrastructure is obligated to protect.&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;/assets-jekyll/blog/verifiable-digital-credentials/image1-52a8315e3f336adca9499d8c13f8c5dd9980017402471b70033d273be682e9ce.jpg&quot; width=&quot;800&quot; alt=&quot;blog/verifiable-digital-credentials/image1.jpg&quot; class=&quot;center-image&quot; /&gt;&lt;/p&gt;

&lt;p&gt;This is not an incremental improvement on document uploads. It is a different architecture for how applications establish trust, one in which data collection is scoped to exactly what the transaction requires, and verification outcomes are separable from the identity artifacts that produced them.&lt;/p&gt;

&lt;p&gt;The timing matters. The standards are mature. The wallets are deployed at scale. The trust ecosystems are live. What the ecosystem needs now is verifier-side applications that implement these flows well. That gap, between where the issuer infrastructure is and where verifier-side development is, is the opportunity in front of engineering teams right now.&lt;/p&gt;

&lt;p&gt;&lt;strong class=&quot;hide&quot;&gt;Table of Contents&lt;/strong&gt;&lt;/p&gt;
&lt;ul id=&quot;markdown-toc&quot;&gt;
  &lt;li&gt;&lt;a href=&quot;#authentication-proves-identity-credentials-prove-claims&quot; id=&quot;markdown-toc-authentication-proves-identity-credentials-prove-claims&quot;&gt;Authentication proves identity. Credentials prove claims.&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;#the-vdc-standards-stack-what-you-need-to-know-before-you-build&quot; id=&quot;markdown-toc-the-vdc-standards-stack-what-you-need-to-know-before-you-build&quot;&gt;The VDC standards stack: What you need to know before you build&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;#verification-is-not-just-a-valid-signature&quot; id=&quot;markdown-toc-verification-is-not-just-a-valid-signature&quot;&gt;Verification is not just a valid signature&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;#progressing-beyond-the-digital-credentials-api-to-production-vdc-verification&quot; id=&quot;markdown-toc-progressing-beyond-the-digital-credentials-api-to-production-vdc-verification&quot;&gt;Progressing beyond the Digital Credentials API to production VDC verification&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;#learn-more-about-verifiable-digital-credentials&quot; id=&quot;markdown-toc-learn-more-about-verifiable-digital-credentials&quot;&gt;Learn more about Verifiable Digital Credentials&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;h2 id=&quot;authentication-proves-identity-credentials-prove-claims&quot;&gt;Authentication proves identity. Credentials prove claims.&lt;/h2&gt;

&lt;p&gt;The most important distinction in the VDC space is also the most commonly missed.&lt;/p&gt;

&lt;p&gt;Authentication answers one question: is this user the legitimate owner of this account? Verification answers a completely different question: can this person prove a specific attribute about themselves, their age, their license, their employment status, or their eligibility?&lt;/p&gt;

&lt;p&gt;These are not the same problem. We have spent the last decade perfecting the art of logging users in (OpenID Connect, passkeys, strong MFA), but stretching your auth layer to carry verification responsibilities it was never designed for produces login flows that collect far more than they need to, and systems that are harder to evolve as both concerns grow independently.&lt;/p&gt;

&lt;p&gt;The right architecture keeps them separate: authentication establishes the session, and VDC-based verification handles moments when a higher-trust signal is required.&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;/assets-jekyll/blog/verifiable-digital-credentials/image2-4226eb7a4fd9b7616dd62b3dfae88ee9226072e0220a04ab2fb65083b40abef3.jpg&quot; width=&quot;800&quot; alt=&quot;blog/verifiable-digital-credentials/image2.jpg&quot; class=&quot;center-image&quot; /&gt;&lt;/p&gt;

&lt;p&gt;In practice, those moments cluster around a recognizable set of product checkpoints: age gating for regulated goods, step-up verification before sensitive account actions, professional license checks, workforce credential validation, and high-value transactions. These are the natural insertion points for VDC-based verification. Not a replacement for your auth stack, but an additional layer, deployed precisely where the cost of a trust failure is highest.&lt;/p&gt;

&lt;h2 id=&quot;the-vdc-standards-stack-what-you-need-to-know-before-you-build&quot;&gt;The VDC standards stack: What you need to know before you build&lt;/h2&gt;

&lt;p&gt;VDCs are not a single specification. They are a layered ecosystem of interoperable standards, and understanding each layer is foundational to making good architectural decisions. The stack has three layers.&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;/assets-jekyll/blog/verifiable-digital-credentials/image3-57253503a0f142a443cfe5fc984d10b13cda28b01a905ed6587905e6f87b458a.jpg&quot; width=&quot;800&quot; alt=&quot;blog/verifiable-digital-credentials/image3.jpg&quot; class=&quot;center-image&quot; /&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Credential Formats&lt;/strong&gt; - defines what the credential is and how selective disclosure works. Two formats matter:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;SD-JWT VC&lt;/strong&gt; - selective disclosure built on JSON Web Tokens (JWTs) and developed in the IETF. This is the natural entry point for web and backend teams already working with JWT-based auth. The claims structure is familiar, and selective disclosure is native to the format. The right choice for enterprise credentials, age gating, employment and license verification.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;mdoc (ISO 18013-5/7)&lt;/strong&gt; - the format behind mobile driver’s licenses and government-issued digital IDs. A more tightly governed interoperability environment, stricter format expectations, and more prescribed wallet behavior. If your use case touches government-issued identity, this is your lane.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Protocols&lt;/strong&gt; - define how credentials move between issuers, wallets, and verifiers. Two specs from the OpenID for Verifiable Credentials family handle both sides of the lifecycle:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;OpenID4VCI&lt;/strong&gt; governs issuance - how a wallet obtains a credential from an issuer. The issuer-side handshake. &lt;strong&gt;OpenID4VP&lt;/strong&gt; governs presentation - how a wallet delivers proof of a claim to your application. It is credential-format-agnostic, supports redirect-based flows today, and supports the Digital Credentials API for web-native UX, where supported.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;The W3C Digital Credentials API&lt;/strong&gt; - the runtime layer that makes this usable in a browser. Its role is directly analogous to what WebAuthn does for passkeys: it standardizes how browsers invoke credential wallets, provides users proper consent context, and eliminates the custom URL scheme and deep-link hacks that make wallet invocation brittle today.&lt;/p&gt;

&lt;p&gt;In simple terms: the &lt;strong&gt;Digital Credentials API invokes the wallet&lt;/strong&gt;, &lt;strong&gt;OpenID4VCI and OpenID4VP manage the protocol flow&lt;/strong&gt;, and &lt;strong&gt;SD-JWT VC or mdoc define the credential format&lt;/strong&gt;. These layers are complementary, not interchangeable.&lt;/p&gt;

&lt;h2 id=&quot;verification-is-not-just-a-valid-signature&quot;&gt;Verification is not just a valid signature&lt;/h2&gt;

&lt;p&gt;Verifying digital credentials requires more than cryptographic signature validation. A credential can have a mathematically valid signature and still be unacceptable in your application’s context. What determines acceptability is ecosystem trust.&lt;/p&gt;

&lt;p&gt;Two concepts are non-negotiable in any verifier-side implementation:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Trust List&lt;/strong&gt; - the curated set of issuers and signing keys your verifier accepts as authoritative. Think of it as conceptually equivalent to a browser’s root CA store. If the issuer is not on your trust list, the credential is invalid in your context regardless of signature validity.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Trust Framework&lt;/strong&gt; - the policy and governance rules defining who can participate in the ecosystem and under what conditions. This is the legal and business contract behind the cryptography.&lt;/p&gt;

&lt;p&gt;In the U.S. mDL ecosystem, for example, state DMVs publish their signing keys through the AAMVA Digital Trust Service, which serves as a trust anchor for Issuing Authority Certificate Authorities (IACAs). Your verification flow must integrate with that trust source and handle key rotation as issuers update their infrastructure. Build the trust framework integration as a first-class architectural requirement during implementation.&lt;/p&gt;

&lt;h2 id=&quot;progressing-beyond-the-digital-credentials-api-to-production-vdc-verification&quot;&gt;Progressing beyond the Digital Credentials API to production VDC verification&lt;/h2&gt;

&lt;p&gt;The browser rollout of native APIs is still progressing. Developers should not architect a flow that requires the Digital Credentials API as a hard dependency today. The most resilient path is to build on redirect-based OpenID4VP as your baseline; it works universally without specific browser dependencies, and then layer in the Digital Credentials API as a progressive enhancement to provide a first-class UX where supported.&lt;/p&gt;

&lt;p&gt;The broader trends driving VDC adoption are not speculative. Government credential infrastructure is becoming a dependency layer on which developers can build. Data minimization is shifting from best practice to legal requirement as privacy regulations tighten globally. The auth and verification layers are separating permanently as both mature independently. Managed verification platforms are closing the tooling gap by abstracting away format handling, protocol flows, and trust-source integrations, so teams do not have to build every layer from scratch.&lt;/p&gt;

&lt;p&gt;The practical path for engineering teams is incremental. Start with one verification moment in your product where the current approach creates measurable friction or accumulates unnecessary data liability. Define the minimum claim that moment actually requires. Keep it separate from your auth layer. Build something bounded. Learn from it. Expand.&lt;/p&gt;

&lt;p&gt;The identity stack is getting a new layer. The developers who understand the formats, protocols, trust model, and browser reality are the ones who will architect what comes next. That window is open now, and the gap between where issuer infrastructure is and where verifier-side development is leaves real ground to gain for teams that move early.&lt;/p&gt;

&lt;p&gt;The question for every senior engineer reading this is not whether VDCs are coming. They are already here. The question is whether your architecture is ready to meet them. &lt;a href=&quot;https://oktacredentials.dev/&quot;&gt;Explore the VDC platform beta today&lt;/a&gt;.&lt;/p&gt;

&lt;h2 id=&quot;learn-more-about-verifiable-digital-credentials&quot;&gt;Learn more about Verifiable Digital Credentials&lt;/h2&gt;

&lt;p&gt;If you’d like to explore the standards and ecosystem behind verifiable digital credentials in more detail, these resources are a good starting point.&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;&lt;a href=&quot;https://www.okta.com/identity-101/what-are-verifiable-digital-credentials/&quot;&gt;What Are Verifiable Digital Credentials?&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://oktacredentials.dev/&quot;&gt;Getting Started VDC Guide&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://openid.net/sg/openid4vc/&quot;&gt;OpenID for Verifiable Credentials - Overview&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://www.w3.org/TR/digital-credentials/&quot;&gt;W3C Digital Credentials API&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Follow us on &lt;a href=&quot;https://www.linkedin.com/company/oktadev&quot;&gt;LinkedIn&lt;/a&gt;, &lt;a href=&quot;https://twitter.com/oktadev&quot;&gt;Twitter&lt;/a&gt;, and subscribe to our &lt;a href=&quot;https://www.youtube.com/c/oktadev&quot;&gt;YouTube&lt;/a&gt; channel to see more content like this. If you have any questions, please comment below!&lt;/p&gt;
</description>
        <pubDate>Mon, 29 Jun 2026 00:00:00 -0500</pubDate>
        <link>https://developer.okta.com/blog/2026/06/29/verifiable-digital-credentials</link>
        <guid isPermaLink="true">https://developer.okta.com/blog/2026/06/29/verifiable-digital-credentials</guid>
      </item>
    
      <item>
        <title>Long Story Short: I Found My Place Between Code and Community</title>
        <description>&lt;p&gt;Taylor Swift once said, “Sometimes walking out is one thing that will find you the right thing.” That’s probably what happened to me. During my engineering days, all I ever wanted was to be a backend engineer, write code all day, use dark mode for IDEs, and sip coffee. And it all happened, I started as a software developer focused on shipping features, debugging all night, and building new features again. However, something felt incomplete, and being part of developer relations changed that.&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;/assets-jekyll/blog/aasawari-sahasrabuddhe-intro-blog/community-collage-edb36b009ed3286a7bd7d14adb3e54ecea1029a758de6f0f2c1a8b97bab3255f.jpg&quot; alt=&quot;Aasawari speaking at conferences and working with developer communities&quot; width=&quot;800&quot; class=&quot;center-image&quot; /&gt;&lt;/p&gt;

&lt;h2 id=&quot;from-software-developer-to-developer-relations-devrel-how-it-started&quot;&gt;From software developer to developer relations (DevRel): how it started&lt;/h2&gt;

&lt;p&gt;I was always an educator, into public speaking, and into building ideas and strategies. And as part of the Developer Relations team, I get to turn all that into work. Fortunately, I had the opportunity to wear multiple hats: community engineer, content creator, strategist, and workshop builder. And now I get to do code, community, and content, everything together.&lt;/p&gt;

&lt;p&gt;What made me stay in the community was the feeling of “Oh, that’s exactly what I was looking for. Thank you for guiding me.” That sense of connection and appreciation motivates me, and I want to foster the same feeling in others. Once someone said this, and this became my calling. Hence, I enjoy being here, closer to the community.&lt;/p&gt;

&lt;h2 id=&quot;my-technical-journey-java-spring-boot-and-beyond&quot;&gt;My technical journey: Java, Spring Boot, and beyond&lt;/h2&gt;

&lt;p&gt;Over the years, I’ve written technical content, led hands-on workshops, produced YouTube videos, and contributed as a guest author and MongoDB Champion. My technical home base is Java, and frameworks like Quarkus and Spring Boot have always held a special place in my heart. And it’s been with me since my undergraduate days and has never left. Along the way in my engineering journey, another technology that prompted a deep dive was containers; topics such as Kubernetes, Docker, CI/CD, and GitOps all piqued my interest. I have since earned recognition as a MongoDB Champion for my contributions to the community over the years.&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;/assets-jekyll/blog/aasawari-sahasrabuddhe-intro-blog/mongodb-community-event-f16f0572445edeb2c382dceeb9d2cbd40aee4191c2753dd0da0003bbcf87c42f.jpg&quot; alt=&quot;Aasawari with the MongoDB community team at a local event&quot; width=&quot;800&quot; class=&quot;center-image&quot; /&gt;&lt;/p&gt;

&lt;h2 id=&quot;why-im-joining-okta-identity-security-and-ai&quot;&gt;Why I’m joining Okta: identity, security, and AI&lt;/h2&gt;

&lt;p&gt;And now? I’m joining Okta. 
When I first thought about Okta, I thought of authentication, two-factor, and login flows. All important. But the more I dug in, the more I realized Okta is at the center of something much bigger. Identity is quietly becoming the foundation of how AI systems are trusted, accessed, and governed. That intersection of security, identity, and AI is where I want to be, and I couldn’t be more excited to explore it with all of you. While I am learning about Okta and its products, I am excited to discuss what the community is building with AI and Okta, and how we can help you on your journey.&lt;/p&gt;

&lt;h2 id=&quot;beyond-my-resume&quot;&gt;Beyond my resume&lt;/h2&gt;

&lt;p&gt;&lt;img src=&quot;/assets-jekyll/blog/aasawari-sahasrabuddhe-intro-blog/sunset-beach-80190c56d80baa6014de8bb83cccfa80eff32069527dfee9dd6732af7e9dde52.jpg&quot; alt=&quot;A vibrant sunset over the ocean, one of Aasawari's favourite things to chase&quot; width=&quot;800&quot; class=&quot;center-image&quot; /&gt;&lt;/p&gt;

&lt;p&gt;When I’m not working on code or community projects, I’m at the gym. I’ve pursued this passion religiously for the past five years, always powering through my workouts with Taylor Swift tracks. I train hard, largely so I can enjoy all the desserts the world has to offer! I’ve fallen in love with weightlifting and am proud to say I can deadlift 200 lbs. Beyond the gym, I’m always chasing the perfect sunset and scouting for the next great sweet treat.&lt;/p&gt;

&lt;p&gt;I am looking forward to building and breaking things on purpose. I’m excited to connect with you on &lt;a href=&quot;https://www.linkedin.com/in/aasawaris&quot;&gt;LinkedIn&lt;/a&gt; and &lt;a href=&quot;https://github.com/aasawariS&quot;&gt;GitHub&lt;/a&gt;, and figure it all out together.&lt;/p&gt;

&lt;p&gt;Remember to follow us on &lt;a href=&quot;https://twitter.com/oktadev&quot;&gt;Twitter&lt;/a&gt; and subscribe to our &lt;a href=&quot;https://www.youtube.com/c/OktaDev/&quot;&gt;YouTube channel&lt;/a&gt; for more exciting content. We also want to hear from you about the topics you’d like to see and any questions you may have. Leave us a comment below!&lt;/p&gt;
</description>
        <pubDate>Wed, 24 Jun 2026 00:00:00 -0500</pubDate>
        <link>https://developer.okta.com/blog/2026/06/24/aasawari-sahasrabuddhe-intro-blog</link>
        <guid isPermaLink="true">https://developer.okta.com/blog/2026/06/24/aasawari-sahasrabuddhe-intro-blog</guid>
      </item>
    
      <item>
        <title>Okta Developer Connect San Francisco 2026 Recap</title>
        <description>&lt;p&gt;“Building an agent is only half the battle. Governing it is where we get stuck.”&lt;/p&gt;

&lt;p&gt;That question came up in nearly every conversation we had with engineering managers leading up to &lt;strong&gt;&lt;a href=&quot;https://luma.com/v2tmx6bf?tk=D5BfTm&quot;&gt;Okta Developer Connect San Francisco&lt;/a&gt;&lt;/strong&gt;. The second edition of our flagship developer event series brought more than 100 developers, architects, founders, platform engineers, and security leaders to Okta HQ on April 30 for an afternoon of technical sessions, hands-on labs, and community conversations on one theme: securing identity in the age of AI.&lt;/p&gt;

&lt;h2 id=&quot;unlocking-ai-in-the-enterprise-okta-for-ai-agents-is-ga&quot;&gt;Unlocking AI in the enterprise: Okta for AI Agents is GA&lt;/h2&gt;

&lt;p&gt;The opening keynote made a point most enterprise teams are now grappling with. Identity has always been a security control. With AI agents in the picture, identity also becomes the governance layer for a class of workloads that didn’t exist a year ago: non-human, autonomous, and increasingly trusted to act on behalf of users.&lt;/p&gt;

&lt;p&gt;The keynote also marked the &lt;strong&gt;&lt;a href=&quot;https://www.okta.com/blog/ai/okta-for-ai-agents-general-availability&quot;&gt;general availability of Okta for AI Agents&lt;/a&gt;&lt;/strong&gt;. The announcement framed the problem in terms that every security leader recognizes: once an agent ships, three questions arise almost immediately, and the product answers each.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Where are my agents?&lt;/strong&gt; Discovery and onboarding work across frameworks, clouds, and SaaS environments, with shadow AI detection for the agents nobody officially registers.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What can they connect to?&lt;/strong&gt; Protection rests on short-lived credentials, scoped tokens, vaulted secrets, and access controls that extend to Model Context Protocol (MCP) servers.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What can they do?&lt;/strong&gt; Governance covers the full lifecycle: access requests, certification, audit logs that stream to Security Information and Event Management (SIEM) platforms, and a kill switch that deactivates an agent that goes off-script.&lt;/p&gt;

&lt;p&gt;For the developers and architects in the room, the announcement set the tone for the rest of the day. Every session that followed answered one of those three questions in some way. You can dig deeper on the &lt;strong&gt;&lt;a href=&quot;https://www.okta.com/products/govern-ai-agent-identity/&quot;&gt;Okta for AI Agents product page&lt;/a&gt;&lt;/strong&gt; or in the &lt;strong&gt;&lt;a href=&quot;https://help.okta.com/oie/en-us/content/topics/ai-agents/ai-agents-home.htm&quot;&gt;documentation&lt;/a&gt;&lt;/strong&gt;.&lt;/p&gt;

&lt;h2 id=&quot;why-this-conversation-matters-now&quot;&gt;Why this conversation matters now&lt;/h2&gt;

&lt;p&gt;Across the sessions and the AI Interview activation we ran throughout the event, one theme kept coming up: agents are arriving in production faster than most teams can govern them.&lt;/p&gt;

&lt;p&gt;Developers told us they have shifted from writing every line of code to reviewing, guiding, and orchestrating AI-generated work. Engineering teams are connecting agents to internal APIs, retrieval-augmented generation (RAG) pipelines, MCP servers, and third-party tools. Security and IAM leaders are watching it happen and asking how to apply the principles they already trust (least privilege, scoped access, auditability) to identities they didn’t anticipate when they built those controls.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;A few patterns stood out from those conversations.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Agents are outpacing governance.&lt;/strong&gt; Many teams ship an agent in days. Wrapping it in policy, access reviews, and lifecycle controls takes weeks or months. The gap between “it works” and “it’s safe to leave running” is where most of the risk lives.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Static credentials are the new shadow IT.&lt;/strong&gt; Hardcoded keys, long-lived tokens, and shared service accounts are how a lot of agents reach data today. They make the demo work. They also make incidents harder to scope when something goes wrong.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;RAG has a permissions problem.&lt;/strong&gt; Retrieval-augmented generation is now the default pattern for enterprise AI. The hard part is making sure an agent retrieving documents on behalf of a user only sees what that user can access at the data layer, and not just the prompt.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Non-human identity is a real category.&lt;/strong&gt; Teams that already invested in human identity governance now realize they need an equivalent practice for agents, bots, and workloads. Naming them, owning them, and decommissioning them are no longer optional.&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;/assets-jekyll/blog/okta-developer-connect-sf-recap/speakers-odc-sf-53bc09c18611797992f4429f0012fb1b495dce757ecbbd152b4b9de5361acac4.jpg&quot; alt=&quot;speakers-odc-sf&quot; width=&quot;800&quot; class=&quot;center-image&quot; /&gt;&lt;/p&gt;

&lt;h2 id=&quot;cross-app-access-and-the-protocol-behind-it&quot;&gt;Cross App Access and the protocol behind it&lt;/h2&gt;

&lt;p&gt;Cross App Access (XAA) drew one of the most-attended sessions of the day, and for good reason. As agents move between applications, the consent model designed for users clicking buttons doesn’t hold up. Repeated prompts get fatigue clicks. Unmanaged app-to-app connections become invisible to security teams. Long-lived tokens leak.&lt;/p&gt;

&lt;p&gt;XAA introduces a model in which the enterprise identity provider mediates access between applications based on policy, rather than relying on per-user consent or app-to-app integrations. The session grounded the protocol in the OAuth context most developers already know, which made the new pieces (identity assertion and token exchange across app boundaries) easier to place.&lt;/p&gt;

&lt;p&gt;For developers, the practical takeaway is clear. If you’re building an application that needs to act on behalf of a user inside another application, the question is no longer “how do I get a token?” It’s “how does my organization want to govern this access, and how does my app respect that policy?”&lt;/p&gt;

&lt;p&gt;A hands-on walkthrough of &lt;strong&gt;&lt;a href=&quot;https://xaa.dev&quot;&gt;xaa.dev&lt;/a&gt;&lt;/strong&gt; gave attendees a chance to step through the Cross App Access flow on their own laptops. Watching identity assertion and token exchange move across a requesting app, an identity provider, and a resource app turned an otherwise dense protocol into something concrete. It gave the room a working mental model to take back to their own architectures.&lt;/p&gt;

&lt;h2 id=&quot;securing-ai-agents-with-auth0&quot;&gt;Securing AI agents with Auth0&lt;/h2&gt;

&lt;p&gt;A dedicated session walked through the identity patterns developers can adopt today when building AI applications. The framing stayed deliberately practical, organized around the four risks that show up most often when an agent starts touching real data: authenticating the user the agent acts for so context stays in the chain; using a Token Vault so agents don’t handle long-lived third-party credentials directly; asynchronous authorization so users can approve sensitive actions out of band; and fine-grained authorization so an agent only retrieves the data and triggers the actions a user can access.&lt;/p&gt;

&lt;p&gt;The session landed because these patterns map naturally to OAuth concepts most developers already know. The work isn’t learning a new identity model from scratch. It’s applying delegation, scoped tokens, and policy-driven authorization to a new kind of caller, one that doesn’t have a browser, doesn’t click “allow,” and doesn’t stop to think before acting. Explore the patterns and SDKs in &lt;strong&gt;&lt;a href=&quot;https://auth0.com/ai&quot;&gt;Auth0 for AI Agents&lt;/a&gt;&lt;/strong&gt;.&lt;/p&gt;

&lt;h2 id=&quot;the-panel-what-teams-are-actually-asking-about-ai-agents&quot;&gt;The panel: What teams are actually asking about AI agents&lt;/h2&gt;

&lt;p&gt;The panel pulled the conversation out of theory and into the questions teams are wrestling with right now. An opening icebreaker about what an unsecured personal AI agent might buy if it went rogue set the tone: practical, direct, and sometimes intentionally playful.&lt;/p&gt;

&lt;p&gt;When applications already have their own access controls, does identity get the final say, or does the application remain the real gatekeeper? How do you stop MCP servers from quietly becoming a backdoor into enterprise data? Which authentication mistakes do developers most often make when they build their first agent? How do teams move from identity as an audit log they review after the fact to identity as a guardrail that enforces decisions in real time?&lt;/p&gt;

&lt;p&gt;The panel didn’t offer easy answers, and that was the point. Securing AI agents isn’t a feature you add at the end of a build. It’s a set of decisions about delegation, consent, and least privilege you need to make early, before you connect the agent to anything that matters.&lt;/p&gt;

&lt;p&gt;For developers, the practical takeaway is clear. If you’re building an application that needs to act on behalf of a user inside another application, the question is no longer “how do I get a token?” It’s “how does my organization want to govern this access, and how does my app respect that policy?”&lt;/p&gt;

&lt;h2 id=&quot;what-this-means-for-builders&quot;&gt;What this means for builders&lt;/h2&gt;

&lt;p&gt;A few takeaways from the day are worth carrying forward:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Treat agents as identities, not features.&lt;/strong&gt; The moment an agent can act on data or trigger workflows, it needs the same lifecycle treatment as a user account: ownership, scope, review, and revocation. Naming it after the application isn’t enough.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Design the consent model before the integration.&lt;/strong&gt; It’s much easier to decide who can delegate what, and how that delegation expires, before you connect an agent to a calendar, a CRM, or a document store. Once the integration goes live, every change becomes a migration.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Push authorization closer to the data.&lt;/strong&gt; Fine-grained authorization works best at the layer where decisions actually happen: the database, the vector store, the API. Token-level scopes alone don’t stop a RAG pipeline from surfacing documents outside the user’s permissions.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Plan for the agent you haven’t built yet.&lt;/strong&gt; Most teams plan to deploy more agents next year than they did this year. The patterns that feel optional today - discovery, governance, scoped credentials become foundational the moment you have a fleet to manage.&lt;/p&gt;

&lt;h2 id=&quot;community-conversations-and-the-ai-interview-activation&quot;&gt;Community, Conversations, and the AI interview activation&lt;/h2&gt;

&lt;p&gt;Beyond the sessions, the energy in the room was the hardest part to put on a slide. Attendees stayed for the hands-on lab, joined the AI Interview activation, asked sharp questions during the panel, and kept the conversation going with Okta and Auth0 engineers, product leaders, and developer advocates well past the formal close.&lt;/p&gt;

&lt;p&gt;The AI Interview activation in particular created a useful feedback loop. Developers told us how AI is reshaping their day, not in marketing terms, but in the specifics of how they review pull requests, find documentation, and decide when to trust an AI-generated answer. Those conversations are already shaping what we build and what we write next.&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;/assets-jekyll/blog/okta-developer-connect-sf-recap/community-networking-e4a61b4def6fe5ea4c060428dcc9615fa4e97518aec7915bc71115ef3dac97cf.jpg&quot; alt=&quot;community&quot; width=&quot;800&quot; class=&quot;center-image&quot; /&gt;&lt;/p&gt;

&lt;h2 id=&quot;what-comes-next&quot;&gt;What comes next&lt;/h2&gt;

&lt;p&gt;Okta Developer Connect started as a forum for the conversations that are harder to have on a webinar, the ones where developers and architects can push back, ask the awkward question, and leave with something they can actually use. The San Francisco edition continued that mission with a sharper focus on AI agents, OAuth, Cross App Access, and the identity patterns shaping the next generation of applications.&lt;/p&gt;

&lt;p&gt;If a single thread ran through the day, it was this: the teams that treat identity as part of the agent, not a wrapper around it, ship at the speed the business asks for, without trading away the controls that keep them safe.&lt;/p&gt;

&lt;p&gt;Thank you to everyone who joined us in San Francisco, asked the harder questions, and shared what you’re building. We’re looking forward to the next edition.&lt;/p&gt;

&lt;p&gt;Stay tuned for upcoming Okta Developer Connect events, and follow OktaDev on &lt;a href=&quot;https://www.linkedin.com/company/oktadev&quot;&gt;LinkedIn&lt;/a&gt;, &lt;a href=&quot;https://x.com/oktadev&quot;&gt;X&lt;/a&gt;, and &lt;a href=&quot;https://www.youtube.com/c/OktaDev/&quot;&gt;YouTube&lt;/a&gt; for new tutorials, videos, and announcements.&lt;/p&gt;
</description>
        <pubDate>Tue, 09 Jun 2026 00:00:00 -0500</pubDate>
        <link>https://developer.okta.com/blog/2026/06/09/okta-developer-connect-sf-recap</link>
        <guid isPermaLink="true">https://developer.okta.com/blog/2026/06/09/okta-developer-connect-sf-recap</guid>
      </item>
    
      <item>
        <title>The One Where I Found My Way to DevRel</title>
        <description>&lt;p&gt;If you’ve watched Friends, you’ll know that life rarely goes according to plan. One day, you’re helping a friend move a couch while yelling “Pivot!”, and the next, you’re wondering how you ended up there in the first place.&lt;/p&gt;

&lt;p&gt;My career has felt a little like that.&lt;/p&gt;

&lt;p&gt;Growing up, I was always drawn to creative pursuits. You could usually find me with a book in hand, experimenting with calligraphy, sketching something random, writing poetry, baking a new dessert, or trying out a recipe I found somewhere online. Technology wasn’t the obvious destination (even though I love building!), storytelling was.&lt;/p&gt;

&lt;p&gt;That love for explaining things eventually led me into technical writing.&lt;/p&gt;

&lt;h2 id=&quot;building-docs-for-developers&quot;&gt;Building docs for developers&lt;/h2&gt;

&lt;p&gt;I started working with startups, creating everything from API documentation and user guides to onboarding content and developer-facing resources. I loved the challenge of taking something complex and making it easier to understand. There was something deeply satisfying about helping someone go from “What does this even mean?” to “Oh, now I get it.”&lt;/p&gt;

&lt;p&gt;For a while, I thought documentation was the destination. Plot twist! It wasn’t.&lt;/p&gt;

&lt;p&gt;When I joined JDoodle (a web-based IDE), I found myself spending more time talking to developers. I wasn’t just writing for them anymore. I was listening to them, learning how they built things, understanding their frustrations, and seeing firsthand what made them excited about technology.&lt;/p&gt;

&lt;p&gt;The more conversations I had, the more I realized something. The thing I enjoyed most wasn’t just creating documentation. It was connecting with people.&lt;/p&gt;

&lt;h2 id=&quot;finding-my-place-in-devrel&quot;&gt;Finding my place in devrel&lt;/h2&gt;

&lt;p&gt;I started attending developer events and conferences. Then came product demos. Then booth duty. Then community conversations. Then hackathons. Then organizing internal events.&lt;/p&gt;

&lt;p&gt;Somewhere along the way, what started as “I need to understand developers better so I can write better documentation” turned into “I genuinely love being part of developer communities.”&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;/assets-jekyll/blog/zahwah-jameel-intro/community-events-2a08d356e7ad3396ad6a352a8b5be569f233e82db59f6b7c00b9326eb972fc1e.jpg&quot; alt=&quot;Zahwah at community events&quot; width=&quot;800&quot; class=&quot;center-image&quot; /&gt;&lt;/p&gt;

&lt;p&gt;I discovered that my favorite moments weren’t necessarily publishing a new document or updating an API reference.&lt;/p&gt;

&lt;p&gt;They were moments like:&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;Watching a developer finally solve a problem after a conversation.&lt;/li&gt;
  &lt;li&gt;Seeing people get excited during a product demo.&lt;/li&gt;
  &lt;li&gt;Helping organize hackathons where creativity and technology collide.&lt;/li&gt;
  &lt;li&gt;Meeting builders who were passionate about bringing their ideas to life.&lt;/li&gt;
  &lt;li&gt;Learning something new from every event I attended.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;As it turns out, the skills that drew me to writing in the first place translated surprisingly well into developer advocacy.&lt;/p&gt;

&lt;p&gt;At their core, documentation and developer advocacy are both about empathy. They require understanding your audience, telling clear stories, and helping people succeed.&lt;/p&gt;

&lt;h2 id=&quot;joining-the-okta-community&quot;&gt;Joining the Okta community&lt;/h2&gt;

&lt;p&gt;Looking back, it makes perfect sense. The person who loved books, writing, art, and storytelling didn’t leave those interests behind when entering tech. She simply found a new audience.&lt;/p&gt;

&lt;p&gt;Today, I’m incredibly excited to continue that journey at Okta.&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;/assets-jekyll/blog/zahwah-jameel-intro/office-photo-ac268e88867bee74b0eb17d8ee6b0a265be43e7bc0c09c86721079dd5d1f861c.jpg&quot; alt=&quot;Zahwah at Okta&quot; width=&quot;800&quot; class=&quot;center-image&quot; /&gt;&lt;/p&gt;

&lt;p&gt;I’ll be working alongside developers, creators, builders, and community members who are shaping the future of identity and security. I’m looking forward to learning, sharing, creating content, attending events, and most importantly, connecting with the people who make this community so special.&lt;/p&gt;

&lt;p&gt;As Phil Dunphy said, &lt;em&gt;“When life gives you lemonade, make lemons. Life will be all like, ‘What?!’”&lt;/em&gt; My career may not have followed a traditional path, but somehow it led me exactly where I wanted to be.&lt;/p&gt;

&lt;p&gt;I’m excited to meet all of you. If you see me at an event, or find me on socials, come say hello. I’d love to hear what you’re building.&lt;/p&gt;
</description>
        <pubDate>Fri, 05 Jun 2026 00:00:00 -0500</pubDate>
        <link>https://developer.okta.com/blog/2026/06/05/zahwah-intro-blog</link>
        <guid isPermaLink="true">https://developer.okta.com/blog/2026/06/05/zahwah-intro-blog</guid>
      </item>
    
  </channel>
</rss>
