Skip to main content
Version: v4.3

Okta

This guide walks you through the process of setting up Single Sign-On (SSO) with Okta for the platform. By following these steps, you'll enable seamless authentication for your users through Okta.

  1. Create A New App In Okta

    Start by creating a new Okta App for the platform.

    Create App for the platform
    Okta - Create a new App in Okta

    Select "Web" App and ensure OpenID Connect is the single sign-on method.

    Create App for the platform

    Okta - Web App with OpenID Connect as single sign on method

    On the next screen, configure the login redirect URIs to include your platform instance domain:

    Configure login redirect URI
    # Replace ${my-loft-domain.com} with your platform domain
    https://${my-loft-domain.com}/auth/oidc/callback
    Create App for the platform
    Okta - The App settings for the platform

  2. Enable Refresh Tokens

    After creating the Okta app for the platform, enable "Refresh Token" under "Allowed grant types". This step is crucial as it allows users to maintain their session without frequent re-logins.

    Create App for the platform
    Okta - App Settings: Enable Refresh Tokens

  3. Enable Group Claims

    If you want to propagate the users groups to the platform, then make sure the Group Filters in Okta are set accordingly. If you want to propagate all groups, add a RegEx filter with '.*'

    Okta Assign People
    Okta - Propagate User Groups To the platform

  4. Configure platform to use Okta

    Create App for the platform
    Okta - Client ID and Secret For App

    Navigate to Admin > Config in the platform and enter the following configuration:

    Configure the platform for Okta integration
    auth:
      oidc:
        issuerUrl: "https://${MY-OKTA-SUBDOMAIN}.okta.com"
        clientId: CLIENT_ID
        clientSecret: CLIENT_SECRET
        groupsClaim: groups
        # This is needed because Okta uses thin id tokens
        # that do not contain the groups directly
        getUserInfo: true

    The groupsClaim field specifies where to find group information in the token, and getUserInfo is set to true to retrieve additional user information from Okta.

    Okta Assign Peoples
    Configure the platform To Use Okta

  5. Add Users via Okta Assignments

    Assign the appropriate Users and Groups to access the platform in Okta.

    Okta Assign People
    Okta - Assign Users & Groups To the platform

    Once users or their groups are assigned to the platform, they can log in via Okta:

    Okta Assign People
    The platform - SSO via Okta

  6. Disable Username + Password Authentication (optional)

    To turn off password-based authentication, navigate to Admin > Config add these two lines to your config:

    Disable password-based authentication
    auth:
      oidc: ...             # This is your SSO configuration (make sure this is working!)
      password:
        disabled: true      # Disable password-based authentication