Self Hosted

Okta (Custom App - OnPrem)

Internal OIDC supports Service Provider (SP)-Initiated Authentication and Identity Provider (IdP)-Initiated Authentication (SSO) flows.

When using the Okta OpenID integration, the Okta user's email address must match the Internal user's email address.

In Okta's Admin Portal:

  1. Login to the Okta Integration Network
  2. Select 'Create New App'
  3. Choose 'Web' for 'Platform' and 'OpenID Connect' for 'Sign on method'
  4. Select 'Create'
  5. Enter 'Internal OpenID Connect - OnPrem' for 'Application Name'
  6. Enter https://{domain}/api/sso/{externalKey}/auth/ as a 'Login redirect URI'.
  7. Select 'Save'
  8. On the 'General' tab, select 'Edit' next to 'General Settings'
  9. Under 'Allowed Grant Types', ensure that 'Authorization Code' and 'Implicit (Hybrid)' are selected.
  10. Ensure that 'Login Initiated By' is set to 'Either Okta or App'.
  11. Enter https://{domain}/api/sso/{externalKey}/login/ as the 'Initiate Login URI'.
  12. Select 'Save'
  13. Find the Client ID, Client Secret, and Okta Domain. Copy these to reference for later.

In Internal's Single Sign-On Settings:

The Internal Single Sign-On Drawer

  1. Navigate to 'Company Settings'
  2. Select the 'Security' tab
  3. Select 'Single Sign-On' to open the Single Sign-On drawer.
  4. From the Single Sign-On drawer, select 'Okta OpenID Connect' from the drop down.
  5. Referencing the values copied from the Okta Admin Portal, configure the following fields in Internal:
  6. Okta Domain
  7. Okta Client ID
  8. Okta Client Secret
  9. Click 'Save'
  10. In order to test this authentication method, navigate back to the Single Sign-On drawer and select 'Test Okta Configuration'. If everything looks good, you'll be redirected to Okta and back to the Single Sign-On drawer with confirmation.