Internal ODIC supports Service Provider (SP)-Initiated Authentication and Identity Provider (IdP)-Initiated Authentication (SSO) flows.
When using the Okta OpenID integration, the Okta user's email address must match the Internal user's email address.
In Okta's Admin Portal:
Login to the Okta Integration Network
Select 'Create New App'
Choose 'Web' for 'Platform' and 'OpenID Connect' for 'Sign on method'
Select 'Create'
Enter 'Internal OpenID Connect - OnPrem' for 'Application Name'
Enter https://{domain}/api/sso/{externalKey}/auth/ as a 'Login redirect URI'.
Select 'Save'
On the 'General' tab, select 'Edit' next to 'General Settings'
Under 'Allowed Grant Types', ensure that 'Authorization Code' and 'Implicit (Hybrid)' are selected.
Ensure that 'Login Initiated By' is set to 'Either Okta or App'.
Enter https://{domain}/api/sso/{externalKey}/login/ as the 'Initiate Login URI'.
Select 'Save'
Find the Client ID, Client Secret, and Okta Domain. Copy these to reference for later.
In Internal's Single Sign-On Settings:
The Internal Single Sign-On Drawer
Navigate to 'Company Settings'
Select the 'Security' tab
Select 'Single Sign-On' to open the Single Sign-On drawer.
From the Single Sign-On drawer, select 'Okta OpenID Connect' from the drop down.
Referencing the values copied from the Okta Admin Portal, configure the following fields in Internal:
Okta Domain
Okta Client ID
Okta Client Secret
Click 'Save'
In order to test this authentication method, navigate back to the Single Sign-On drawer and select 'Test Okta Configuration'. If everything looks good, you'll be redirected to Okta and back to the Single Sign-On drawer with confirmation.