This portion of the guide takes you through the steps for configuring your specific SSO integration using the Okta Admin Console.
After you create your integration in the
task, the Admin Console opens the main settings page for your new integration. In here, you can specify previous General Settings and Sign On options, as well as assign the integration to users in your org. Click Edit if you need to change any of the options, and Save when you have made your changes. Specify OIDC settings
General tab, in the Application area, you can rename your integration and select which grant type options are allowed.
If you only want to support direct SSO to your application (so the integration isn't launched from the Okta End-User Dashboard), then:
Enter one or more Login redirect URI values where Okta sends the OAuth responses. Set the Login initiated by drop-down box to App Only. Leave all of the remaining entries at their default values.
If you want to support launching your application from the Okta dashboard:
Enter one or more Login redirect URI values where Okta sends the OAuth responses. (Optional). Enter the Logout redirect URIs where Okta redirects the browser after receiving the sign out request from the relying-party and terminating its end-user session. See Single Logout or the .
/logout API endpoint
Change the Login initiated by field to Either Okta or App to give your integration an Okta tile.
Note: When you select this option, an App Embed Link section appears at the bottom of the page with the URL that can be used to sign in to the OIDC client from outside of Okta. Check the box for Display application icon to users. Select the appropriate Login flow option. If you choose Send ID Token directly to app (Okta Simplified), you can also choose the Scopes associated with the sign-in flow. Enter or change the URI used to initiate the sign-in request. Click Save to commit your changes.
If required, you can generate a new client secret. In the
Client Credentials section, click Edit, then Generate New Client Secret.
You can use the
.well-known/openid-configuration API endpoint to configure Okta interactions programmatically. When a web integration has the
implicit value set for the
grant_types_supported property, then admins can publish integrations with the
Login initiated by feature.
For more information, see the
OpenID Connect API reference. Consent Note: OIDC consent is an Early Access feature. To enable it, contact Okta Support.
If you have enabled User Consent for OAuth 2.0 Flows in API Access Management, then the following section appears in the
General Settings tab for an OIDC integration.
If you want to prompt your user to approve the integration access to specified resources, select the
Require consent box. Alternatively, you can set up the consent for a scope in your custom authorization, as described in the Create Scopes section of the API Access Management documentation. Set the Groups claims filter
You can define your own Groups claims outside the default set of claims that are contained in ID tokens and access tokens.
To specify the Groups claim filter:
Go to the Sign On tab Click Edit in the OpenID Connect ID Token section. The Group claim filter contains a list of the user's groups for the ID token:
The first field identifies the claim name to use in the token. The second field sets a filter for the list of groups. Note: If the value you specify in the Groups claim filter matches more than 100 groups, an error occurs when the API tries to create ID tokens.
For more detail on adding a Groups claim with tokens, see
Add a Groups claim.