This portion of the guide takes you through the steps for configuring your specific SSO integration using the Okta Admin Console.
After you create your integration in the previous General Settings and Sign On options, as well as assign the integration to users in your org. Click Edit if you need to change any of the options, and Save when you have made your changes.
Specify OIDC settings On the General tab, in the Application area, you can rename your integration and select which grant type options are allowed.
If you only want to support direct SSO to your application (so the integration isn't launched from the Okta End-User Dashboard), then:
Enter one or more Login redirect URI values where Okta sends the OAuth responses. Set the Login initiated by drop-down box to App Only . Leave all of the remaining entries at their default values. If you want to support launching your application from the Okta dashboard:
Enter one or more Login redirect URI values where Okta sends the OAuth responses. (Optional). Enter one or more Logout redirect URIs where Okta sends relying-party initiated sign-out requests. Change the Login initiated by field to Either Okta or App to give your integration an Okta tile.
Note: When you select this option, an App Embed Link section appears at the bottom of the page with the URL that can be used to sign in to the OIDC client from outside of Okta.
Check the box for Display application icon to users . Select the appropriate Login flow option. If you choose Send ID Token directly to app (Okta Simplified) , you can also choose the Scopes associated with the sign-in flow. Enter or change the URI used to initiate the sign-in request. Click Save to commit your changes. If required, you can generate a new client secret. In the Client Credentials section, click Edit , then Generate New Client Secret .
You can use the .well-known/openid-configuration API endpoint to configure Okta interactions programmatically. When a web integration has the implicit value set for the grant_types_supported property, then admins can publish integrations with the Login initiated by feature.
For more information, see the OpenID Connect API reference.
Consent Note: OIDC consent is an Early Access feature. To enable it, contact Okta Support .
If you have enabled User Consent for OAuth 2.0 Flows in API Access Management, then the following section appears in the General Settings tab for an OIDC integration.
If you want to prompt your user to approve the integration access to specified resources, select the Require consent box. Alternatively, you can set up the consent for a scope in your custom authorization, as described in the Create Scopes section of the API Access Management documentation.
Set the Groups claims filter You can define your own Groups claims outside the default set of claims that are contained in ID tokens and access tokens.
To specify the Groups claim filter:
Go to the Sign On tab Click Edit in the OpenID Connect ID Token section. The Group claim filter contains a list of the user's groups for the ID token:
The first field identifies the claim name to use in the token. The second field sets a filter for the list of groups. Note: If the value you specify in the Groups claim filter matches more than 100 groups, an error occurs when the API tries to create ID tokens.
For more detail on adding a Groups claim with tokens, see Add a Groups claim .