Frequently Asked Questions

A: For most of 2026, the authentication screen presented to the user will be the CAS login screen. Okta federates logins to CAS, so the user experience of logging in won't change. Toward the end of 2026, we will switch to using Okta's login screen.

A: Auth0 was purchased by Okta in 2021, so yes, they technically are step siblings. We recommend using libraries provided by either Okta or Auth0. Auth0 has a wider range of platform libraries (e.g., the okta website doesn't include PHP libraries, but Auth0 does). You should be able to download a library from either Okta or Auth0 without an account.

A: ces-byu-migration.oktapreview.com/.well-known/openid-configuration is public-facing and doesn't require any credentials. You can open it in a browser or make a GET call to it in Postman/Bruno/curl.

A: At present, yes. The final domain will be login.byu.edu once the system is in production.

A: During development and testing of your custom applications, yes, you can switch back and forth. Once an application is in production though, there is no going back to CAS.

A: If you are already using SAML (and wish to remain on SAML), you will need to adjust URLs. You man also need to adjust the attribute names in the SAML assertions. The new domains for the URLs will follow a pattern of https://login.byu.edu, and for non-prod, it will be https://login-cpy.byu.edu, replacing cpy with the non-prod instance you get assigned for testing out your applications.

A: SAML is and will be supported by Okta for the forseeable future. That said, the SAML spec is 20 years old and the standards committees have no plans to revisit/enhance/improve it. We strongly encourage custom applications to move to OAuth/OIDC.

A: The memberOf attribute will not be available through Okta. Instead, we encourage calling the Groups API to get a list of groups the authenticated user is a member of.