Skip to main content

Set up Single Sign-On with Okta

With minimal configuration efforts, this connector allows integration with Okta for enterprise SSO.

tip:

For more information about SSO and how to configure SSO in Logto, please check out the Enterprise SSO (SAML & OIDC) documentation to get started.

Step 1: Create an OIDC application on Okta admin portal

  • Visit the Okta admin portal and sign in as an administrator.
  • Navigate to the Applications/Applications page using the side menu.
  • Click the Create App Integration button to create a new OIDC application.
  • Select the OIDC - OpenID Connect option as the Sign-in method.
  • Select the Web Application option as the Application type.
Okta create application

Click the Next button to continue.

Step 2: Configure the application settings

  1. Provide an App integration name. It will be used as the identifier of your OIDC application.
  2. Add a new Sign-in redirect URIs using the Logto SSO connector's callback URL.

This is the URI that the Okta will redirect the user's browser after successful authentication. After a user successfully authenticates with the IdP, the IdP redirects the user's browser back to this designated URI along with an authorization code. Logto will complete the authentication process based on the authorization code received from this URI.

Okta application settings
  1. Assign users to the application.

Based on the Assignments settings, you can choose to assign the application to all users or specific users/groups.

Okta assign users

Click the Save button to save the application settings.

Step 3: Set up Logto connector with the client credentials

After successfully creating the OIDC application, you will be redirected to the application details page.

Okta client credentials

Copy the client ID and client secret and fill in the corresponding fields on the Logto SSO connector Connection tab.

Use your Okta domain as the issuer. Example: https://dev-12345678.okta.com. Once you have filled in all the fields, click the Save button to save the connector settings.

If the issuer link you provided is valid, you will see a parsed full list of Okta IdP configurations shown below the issuer field.

Step 4: Additional scopes (Optional)

Scopes define the permissions your app requests from users and control which data your app can access from their Okta accounts. Requesting additional Okta permissions requires configuration on both sides:

In Okta admin console:

  1. Navigate to Applications > Applications and select your OIDC application.
  2. Go to the Assignments tab to ensure your app has access to the required users and groups.
  3. For custom scopes, navigate to Security > API > Authorization Servers and select your authorization server.
  4. Add custom scopes if needed:
    • Click Scopes and then Add Scope
    • Define scope names like okta.users.read or okta.groups.read for accessing Okta APIs
    • Configure consent requirements for each scope

For a complete list of available scopes and their descriptions, please refer to the Okta OIDC documentation.

In Logto Okta connector:

  1. Logto automatically includes openid, profile, and email scopes to retrieve basic user identity information. You can leave the Scopes field blank if you only need basic user information.
  2. Add offline_access to the Scopes field if you plan to store tokens for persistent API access. This scope enables refresh tokens for long-lived API access.
  3. Add additional scopes (separated by spaces) in the Scopes field to request more data from Okta. For example: okta.users.read okta.groups.read
tip:

If your app requests these scopes to access Okta APIs and perform actions, make sure to enable Store tokens for persistent API access in Logto Okta connector. See the next section for details.

Step 5: Store tokens to access Okta APIs (Optional)

If you want to access Okta scopes and perform actions with user authorization, Logto needs to get specific scopes and store tokens.

  1. Add the required scopes in your Okta developer console API permissions configuration and Logto Okta connector.
  2. Enable Store tokens for persistent API access in Logto Okta connector. Logto will securely store Okta access and refresh tokens in the Secret Vault.
  3. To ensure refresh tokens are returned, add the offline_access scope to your Okta application permissions and include it in your Logto Okta connector scopes. This scope allows your application to maintain access to resources for extended periods.

Step 6: Set email domains and enable the SSO connector

Provide the email domains of your organization on Logto's connector SSO experience tab. This will enable the SSO connector as an authentication method for those users.

Users with email addresses in the specified domains will be redirected to use your SSO connector as their only authentication method.

For more details about creating OIDC integration with Okta, please check Create OIDC App Integrations.