This portion of the guide takes you through the steps for configuring your specific SSO integration using the Okta Admin Console.
After you create your integration in the
task, the Admin Console opens the main settings page for your new integration. In here, you can specify previous General Settings and Sign On options, as well as assign the integration to users in your org. Click Edit if you need to change any of the options, and Save when you have made your changes. Specify OIDC settings
General tab, in the Application area, you can rename your app integration and select which grant type options are allowed. (opens new window)
An OAuth 2.0 grant is the authorization granted to the client by the user. Each type of grant has a corresponding
The grant types permitted for an OIN app integration depend on the platform selected:
Authorization Code — mandatory for web platform applications Refresh token — not supported for OIN app integrations Optional. Implicit (Hybrid) SPA:
Authorization Code Implicit (Hybrid) — choose:
Allow ID Token with implicit grant type Allow Access Token with implicit grant type Note: For SPA app integrations, the Authorization Code grant type always uses PKCE to verify the client. Also, the Client acting on behalf of itself grant type is not supported in OIN app integrations.
If you only want to support direct SSO to your application (so the integration isn't launched from the Okta End-User Dashboard), then:
Enter one or more Sign-in redirect URIs values where Okta sends the OAuth responses. Set the Sign-in initiated by drop-down box to App Only. Leave all of the remaining entries at their default values.
If you want to support launching your application from the Okta dashboard:
Enter one or more Sign-in redirect URIs values where Okta sends the OAuth responses. (Optional). Enter the Sign-out redirect URIs where Okta redirects the browser after it receives the sign-out request from the relying-party and terminates the end-user's session. See Configure Single Logout in app integrations or the (opens new window) .
/logout API endpoint
Change the Login initiated by field to Either Okta or App to give your integration an Okta tile.
Note: When you select this option, an App Embed Link section appears at the bottom of the page with the URL that can be used to sign in to the OIDC client from outside of Okta. Select Display application icon to users. Select the Login flow option. For OIN app integrations, you must select Redirect to app to initiate login (OIDC Compliant). Enter or change the URI used to initiate the sign-in request. Click Save to commit your changes.
If required, you can generate a new client secret. In the
Client Credentials section, click Edit, then Generate New Client Secret.
You can use the
.well-known/openid-configuration API endpoint to configure Okta interactions programmatically. When a web app integration has the
implicit value set for the
grant_types_supported property, then admins can publish integrations with the
Login initiated by feature.
For more information, see the
OpenID Connect API reference.