, creating an Identity Provider in Okta, testing the configuration, and creating a sign-in button.
Okta manages the connection to the IdP for your application, sitting between your application and the IdP that authenticates your users. The industry-standard term for this is Inbound Federation. When a user signs in, you can link the user’s
account to an existing Okta user profile or choose to create a new user profile using Just-In-Time (JIT) provisioning.
Configure a social Identity Provider so that your users can quickly sign up or sign in to your application by using their social Identity Provider account.
In the Admin Console, go to Security > Identity Providers.
Click Add Identity Provider, and then select
IdP.
Click Next.
In the General Settings section, define the following:
Click Finish. A page appears that displays the IdP's configuration.
Note: If you want to use a specific Redirect Domain instead of the Dynamic default, you can use either Org URL or Custom URL. See issuerMode in the Identity Provider attributes section.
Note: See the Identity Providers API for request and response examples when creating an Identity Provider in Okta using the API.
Alternatively, you can use the Authorize URL to simulate the authorization flow. The Okta Identity Provider that you created generated an authorize URL with a number of blank parameters that you can fill in to test the flow with the Identity Provider. The authorize URL initiates the authorization flow that authenticates the user with the Identity Provider.
In the URL, replace ${yourOktaDomain} with your org's base URL, and then replace the following values:
client_id: Use the client_id value from your Okta app integration. This is not the client_id from the Identity Provider. For example, 0oawjqpb2wcUAWM8C0h7.
response_type: Determines which flow is used. For the Implicit flow, use id_token. For the Authorization Code flow, use code.
response_mode: Determines how the authorization response is returned. Use fragment.
scope: Determines the claims that are returned in the ID token. Include the scopes that you want to request authorization for and separate each with a %20 (space character). You need to include at least the openid scope. You can request any of the standard OpenID Connect scopes about users, such as profile and email as well as any custom scopes specific to your Identity Provider.
redirect_uri: The location where Okta returns a browser after the user finishes authenticating with their Identity Provider. This URL must start with https and must match one of the redirect URIs that you configured in the previous section.
state: Protects against cross-site request forgery (CSRF). This can be set to any value.
nonce: A string included in the returned ID token. Use it to associate a client session with an ID token and to mitigate replay attacks. This can be set to any value.
To test your authorization URL, enter the complete authorization URL in a browser. Do this in your browser's privacy or incognito mode to avoid false positive or negative results.
If everything is configured properly:
The user is redirected to the Identity Provider's sign-in page.
After successful authentication, the user is redirected to the redirect URI that you specified, along with an #id_token= fragment in the URL. The value of this parameter is your Okta OpenID Connect ID token.
If something is configured incorrectly, the authorization response contains error information to help you resolve the issue.
Add the Identity Provider to the embedded Okta Sign-In Widget
The Okta Sign-In Widget(opens new window) is an embeddable JavaScript widget that reproduces the look and behavior of the standard Okta sign-in page. You can add a Sign in with
button to the widget by adding the following code to your Okta Sign-In Widget configuration.
Replace Your_IDP_ID with the Identity Provider ID from your Identity Provider that you created in Okta in the Create the Identity Provider in Okta section. To find your Identity Provider ID:
In the Admin console, go to Security > Identity Providers.
On the Identity Providers page, select the Identity Provider tab.
Select your Identity Provider from the list. IdP ID contains your Identity Provider ID.
Add the Identity Provider to the custom Okta-hosted sign-in page
button by adding the following code beneath the var config = OktaUtil.getSignInWidgetConfig(); line in the Sign-in page code editor of the Admin Console.
Replace Your_IDP_ID with the Identity Provider ID from your Identity Provider that you created in Okta in the Create the Identity Provider in Okta section.
Next steps
You should now understand how to add a social Identity Provider and have successfully added and tested the integration.