Build a Single Sign-On (SSO) integration

This guide teaches you how to build federated Single Sign-On with Okta for your application.

---

Learning outcomes

• Create an app integration inside your Okta org to use Okta as the Identity Provider for your app.
• Test your app integration.

What you need

• An Okta developer account. Sign up for one at https://developer.okta.com/signup/ (opens new window).
• An app to integrate with Okta

---

Overview

As an application developer, you want to give your users the ability to sign in directly to your application using Okta for identity management. To do so, your application needs to support federated Single Sign-On (SSO). In this scenario, your application relies on Okta to serve as an external Identity Provider (IdP).

Okta supports OIDC and SAML 2.0 protocols to implement SSO for your app integration.

Organizations

In a typical scenario, your application relies on Okta to act as a multi-tenant Identity Provider (IdP) for your customers' Okta organizations.

An Okta org acts as a container that sets hard boundaries for all users, applications, and other entities associated with a single customer, providing tenant-based isolation.

In developing your SSO app integration, the customer’s Okta org serves as the authorization server (OIDC) or as the IdP (SAML).

Publishing

This guide assumes that you intend to develop an app integration and make it public by publishing it in the Okta Integration Network (OIN). If you want to develop a custom app integration that is intended for private deployment within your own company, use the Okta App Integration Wizard (AIW) (opens new window) to create your app integration.

Prepare your integration

After you have decided which protocol is right for your needs, you need to gather some information for your integration.

Prepare an OIDC integration

Multi-tenancy

Okta uses a multi-tenant local credential system for OIDC. Each instance of your app integration inside a customer org has a separate set of OIDC client credentials that are used to access your application.

For example, consider a scenario where your app integration is added to 10 separate customer orgs. Seven of those customers create a single instance of your app integration. However, the other three customers each create two separate instances of your app integration so they can use different configuration options. This scenario creates a total of 13 sets of client credentials for your application that you need to track.

This multi-tenant approach is different from other IdPs that use a global credential system, where a given application has the same customer credentials across all orgs.

Prerequisites

Before you create a new OIDC integration in Okta:

1. Have your application developed and tested, with a front-end (for example, JavaScript and HTML) and back-end (for example, middleware and database software) stack, along with services available through APIs, and accepting HTTP connections.

2. Based on the type of application that you have built, determine the correct OAuth 2.0 flow that is required below the OIDC identity layer.

   For OIDC applications destined for the OIN, you can create either of the following:

   • A Web application with a dedicated server-side back-end that is capable of securely storing a Client Secret and exchanging information with an authorization server through trusted back-channel connections. Okta recommends using the Authorization Code flow with an exchange of the client credentials (Client ID and Client Secret) for controlling the access between your application and the resource server.
   • A Single Page Application (SPA) that uses an Authorization Code flow with a Proof Key for Code Exchange (PKCE). Okta recommends this method to control the access between your SPA application and a resource server.

3. Determine the sign-in redirect URIs on your system. A redirect URI is where Okta sends the authentication response and ID token during the sign-in flow. You can specify more than one URI if required.

4. Your application must support automatic credential rotation. For more information, see the /keys section in the OpenID Connect & OAuth 2.0 API reference.

Create your integration

After you have your background information, you can use the Okta Admin Console and the Application Integration Wizard (AIW) to create your SSO integration inside the Okta org associated with your developer account.

Note: Creating your SSO app integration doesn't automatically make it available in the OIN (opens new window). After you have created and tested it, you need to submit your app integration to the OIN.

1. Sign in to your Okta developer account as a user with administrative privileges.
2. In the Admin Console, go to Applications > Applications.
3. Click Create App Integration.

Create an OIDC integration

4. On the Create a new app integration page, select OpenID Connect in the Sign-in method section.
5. Choose either Web Application or Single-Page Application as the Application type for your integration. The OIN only publishes cloud-based SaaS apps, either traditional Web applications with a back-end or a modern browser-based SPA.
6. Click Next.
7. In General Settings, enter a name for your integration and (optionally) upload a logo.
8. Add your Sign-in redirect URIs and optional Sign-out redirect URIs. These URIs must be absolute URIs (opens new window), and you can specify more than one.
9. In Assignments, assign a group or leave the Everyone default. Be sure to verify that the users you want to have access are assigned to the group that you select. For instructions on how to assign the app integration to individual users and groups, see the Assign app integrations (opens new window) topic in the Okta product documentation.
10. Click Save.

Specify your integration settings

This portion of the guide takes you through the steps for configuring your specific SSO integration using the Okta Admin Console.

After you create your integration in the Create your integration step, the Admin Console opens the main settings page for your new integration. In here, you can specify General Settings and Sign On options, as well as assign the integration to users in your org. Click Edit if you need to change any of the options, and Save when you have made your changes.

Specify OIDC settings

• On the General tab, in the Application area, you can rename your app integration and select which grant type options (opens new window) are allowed.

  An OAuth 2.0 grant is the authorization granted to the client by the user. Each type of grant has a corresponding grant flow.

  The grant types permitted for an OIN app integration depend on the platform selected:

  • Web:
    • Authorization Code — mandatory for web platform applications
    • Refresh token — not supported for OIN app integrations
    • Optional. Implicit (Hybrid)
  • SPA:
    • Authorization Code
    • Implicit (Hybrid) — choose:
      • Allow ID Token with implicit grant type
      • Allow Access Token with implicit grant type

  Note: For SPA app integrations, the Authorization Code grant type always uses PKCE to verify the client. Also, the Client acting on behalf of itself grant type is not supported in OIN app integrations.

• If you only want to support direct SSO to your application (so the integration isn't launched from the Okta End-User Dashboard), then:

  1. Enter one or more Sign-in redirect URIs values where Okta sends the OAuth responses.
  2. Set the Sign-in initiated by drop-down box to App Only.
  3. Leave all of the remaining entries at their default values.

• If you want to support launching your application from the Okta dashboard:

  1. Enter one or more Sign-in redirect URIs values where Okta sends the OAuth responses.
  2. (Optional). Enter the Sign-out redirect URIs where Okta redirects the browser after it receives the sign-out request from the relying-party and terminates the end-user's session. See Configure Single Logout in app integrations (opens new window) or the /logout API endpoint.
  3. Change the Login initiated by field to Either Okta or App to give your integration an Okta tile.

     Note: When you select this option, an App Embed Link section appears at the bottom of the page with the URL that can be used to sign in to the OIDC client from outside of Okta.

  4. Select Display application icon to users.
  5. Select the Login flow option. For OIN app integrations, you must select Redirect to app to initiate login (OIDC Compliant).
  6. Enter or change the URI used to initiate the sign-in request.
  7. Click Save to commit your changes.

• If required, you can generate a new client secret. In the Client Credentials section, click Edit, then Generate New Client Secret.

Test your integration

This portion of the guide takes you through the steps required to test your integration.

Assign users

First you must assign your integration to one or more test users in your org:

1. Click the Assignments tab.
2. Click Assign and then select either Assign to People or Assign to Groups.
3. Enter the appropriate people or groups that you want to have Single Sign-On into your application, and then click Assign for each.
4. For any people that you add, verify the user-specific attributes, and then select Save and Go Back.
5. Click Done.

Test Single Sign-On

1. Sign out of your administrator account in your development org. Click Sign out in the upper-right corner of the Admin Console.
2. Sign in to the Okta End-User Dashboard as the regular user that was assigned the integration.
3. In your dashboard, click the Okta tile for the integration and confirm that the user is signed in to your application.

Test Application-initiated sign-in flow

1. Sign out of your administrator account in your development org and also sign out of your application.
2. In your browser, begin the sign-in process to your application, either through your application's sign-in button or directly by pasting one of the Sign-in redirect URIs into your web browser address bar. Regardless of which method you choose, your browser must end up at the Okta-hosted sign-in page.
3. Sign in to your regular user account on the Okta-hosted sign-in page.
4. Confirm that Okta successfully redirects back into your application.

Troubleshoot issues

If you run into issues with your sign-in process, you can try the following to troubleshoot the issues:

• In the Admin Console of your Okta development org, go to Reports > System Log and examine any failure messages reported.
• Open the Admin Console in your web browser and examine any status messages related to your authentication request. The console errors have status codes in the 4XX range. Investigate and resolve any error messages generated by your sign-in request.
• Post your questions on either the Okta Developer Forum (opens new window) or on Stack Overflow (opens new window).

Next steps

• After you complete your testing and your integration is working as expected, you can start the submission process to have your integration included in the Okta Integration Network (opens new window) catalog.
• Our Submit an app integration guide takes you through the steps required to submit your SSO integration through the OIN Manager.

See also

• Okta SAML FAQs
• Okta Developer Forum — OIDC (opens new window)
• Stack Overflow — Okta OIDC (opens new window)
• Okta Developer Forum — SAML (opens new window)
• Stack Overflow — Okta SAML (opens new window)