Single Sign-On (SSO) allows people to access multiple U-M systems with a single account and password. Okta is the platform that will support the U-M SSO service going forward and provides integration protocols similar to Shibboleth, such as SAML and OIDC.
Shibboleth Proxy to Okta Began Feb 25, 2026
If you have a service, system, or application that uses Shibboleth for SSO, it is currently proxying end-user authentication to Okta.
Okta Application Integrations
As U-M migrates applications and services to directly integrate with Okta, application and service owners will have updated expectations and responsibilities for managing authentication and authorization integrations using U-M accounts. These responsibilities include maintaining accurate integration information, managing access rules and lifecycle processes, being the primary point of contact for integration setup with vendors, and meeting applicable compliance requirements. While Okta will provide U-M’s central identity and access management capabilities, application and service owners remain accountable for the proper configuration, operation, and ongoing management of their integrations with Okta.
Set up New Application Integrations with Okta
All requests to set up new SAML or OIDC services and applications for authentication will be directly integrated with Okta. You can request a new SAML or OIDC application integration with Okta by opening a ticket with the SSO team.
You can now use a new self-service Application Management and Provisioning application (AMP) to set up your new SSH or RDP integration.
Migrate Existing Applications to Direct Integration with Okta
Instructions for using the new self-service Application Management and Provisioning application (AMP) are available below.
Migrating SSH and RDP Logins to Use Okta for MFA
- Creating an RDP Application in the AMP Application
- Creating an SSH Application in the AMP Application
Migrate Existing Applications and Services to Use Okta SSO
Applications and services that still use Shibboleth for SSO will migrate to direct integrations with Okta starting in June 2026.
Timeline
February 25, 2026
- Shibboleth proxies to Okta for authentication. Login screens and MFA transitions to Okta.
- Existing Shibboleth integrations remain unchanged.
March 2026
- All new requests for SSO integration will be directly integrated with Okta
May 2026
- Publish expectations and instructions for transitioning existing applications and services to direct integration with Okta.
- Service providers currently using Duo for SSH or RDP can now transition their applications via the self-service Application Management and Provisioning application (AMP). Go-live Date is May 18.
- A series of Office Hours is scheduled for service providers to attend and ask questions.
June 2026
- Service Providers who use Shibboleth SSO (SAML/OIDC) can begin transitioning their applications via the self-service AMP application.