For more information, see Authentication & Authorization Services.
Single Sign-On (SSO) allows people to access multiple U-M systems with a single account and password. Okta is the platform that will support the U-M SSO service going forward and provides integration protocols similar to Shibboleth, such as SAML and OIDC.
Shibboleth Proxy to Okta Began Feb 25, 2026
If you have a service, system, or application that uses Shibboleth for SSO, it is currently proxying end-user authentication to Okta.
Okta Application Integrations
As U-M migrates applications and services to directly integrate with Okta, application and service owners will have updated expectations and responsibilities for managing authentication and authorization integrations using U-M accounts. These responsibilities include maintaining accurate integration information, managing access rules and lifecycle processes, being the primary point of contact for integration setup with vendors, and meeting applicable compliance requirements. While Okta will provide U-M’s central identity and access management capabilities, application and service owners remain accountable for the proper configuration, operation, and ongoing management of their integrations with Okta.
Additional details about application and service owner expectations are available on the U-M Okta | Application Integrations - Requirements and Responsibilities page.
Set Up New Application Integrations with Okta
Use the self-service Application Management and Provisioning application (AMP) to set up your direct application integration to Okta. Please note that you must be connected to a campus network or VPN to access the AMP application.
Important: For RDP, SAML, and OIDC integrations, please wait at least 8 hours after receiving your Okta credentials from AMP before completing your application's configuration or making it available to users. This allows time for Okta to assign access to eligible users. If the application is launched sooner, some users may be unable to sign in.
For the new self-service OIDC and SAML options, please note:
- Attributes: Released attributes are currently limited. Please refer to the available attribute documentation for details.
- MCommunity groups: If your service uses MCommunity groups for authorization, Group aliases cannot be used and will not be selectable in AMP.
Migrate Existing Applications to Direct Integration with Okta
Instructions for using the new self-service Application Management and Provisioning application (AMP) are available below.
Migrating SSH and RDP Logins to Use Okta for MFA
- Creating an RDP Application in the AMP Application
- Creating an SSH Application in the AMP Application
Migrating SAML and OIDC Application and Services to Use Okta SSO
- Creating a SAML Application in the AMP Application
- Creating an OIDC Application in the AMP Application
Timeline
February 25, 2026
- Shibboleth proxies to Okta for authentication. Login screens and MFA transitions to Okta.
- Existing Shibboleth integrations remain unchanged.
March 2026
- All new requests for SSO integration will be directly integrated with Okta
May 2026
- Publish expectations and instructions for transitioning existing applications and services to direct integration with Okta.
- Service providers currently using Duo for SSH or RDP can now transition their applications via the self-service Application Management and Provisioning (AMP) application.
- A series of Office Hours is scheduled for service providers to attend and ask questions.
June 2026
- Service Providers who use Shibboleth SSO (SAML/OIDC) can now transition their applications via the self-service Application Management and Provisioning (AMP) application.
December 1, 2026
- All systems and applications must migrate off using Duo by Dec. 1, 2026