Configuring OIDC SSO with Okta

  • Updated on Feb 13, 2025
  • Published on Jan 7, 2025
  • 6 minute(s) read
  • AF
 Prev Next

Overview

This article describes the single sign-on (SSO) integration process using the OpenID Connect (OIDC) protocol between the Syniti Knowledge Platform (SKP) and Okta. When you integrate the SKP with Okta using OIDC, you can manage and control your organization’s user account and their access to the SKP in Okta.

Prerequisites

Important!

Submit a request to Syniti Support to whitelist or trust your organization’s IdP URL within Syniti’s network and security policies.

  • You must be an SKP Administrator for your tenant that uses SKP-initiated sign-on page to configure the OIDC settings in the SKP.

    Note

    • This SKP Administrator account must be the initial administrator account (which uses a trusted domain) sent to you during the provisioning process by the Syniti’s Customer Success team.

    • If you require additional domains to get added and activated in your tenant for using the SKP-initiated sign-on page, you have to submit a request to Syniti Support.

  • Your organization must have an active Okta account.

  • Ensure that you have access to an Okta Administrator account to complete the steps in this article.

  • If your organization uses Okta Verify for multi-factor authentication (MFA) in Okta, ensure that MFA is active and functioning correctly.

Configure Okta with the SKP

Add and Configure a New Application in Okta

  1. Log into your Okta Administrator account or access https://developer.okta.com/login/ to create a developer account.

  2. Click Applications > Applications from the left navigation menu.

  3. Click Create App Integration. The Create a New App Integration dialog box is displayed.

  4. Select OIDC - OpenID Connect as the Sign-In Method.

  5. Select Web Application as the Application Type and click Next.

  6. In the App Integration Name field, enter a unique name for the SKP application and complete the following steps:

    1. In the Sign-In Redirect URIs and Sign-Out Redirect URIs fields, enter the following URLs based on your tenant region:

      SKP Tenant Region

      Sign-In Redirect URI

      Sign-Out Redirect URI

      Americas

      https://api.syniti.com/oauth/signin/callback

      https://login.syniti.com/home

      Australia

      https://api.syniti.au/oauth/signin/callback

      https://login.syniti.au/home

      EMEA

      https://api.syniti.eu/oauth/signin/callback

      https://login.syniti.eu/home

      Canada

      https://api.syniti.ca/oauth/signin/callback

      https://login.syniti.ca/home

    2. In the Assignments section, set the Controlled Access field to Skip Group Assignment for Now.

    3. Select Save.

      The General tab of the new application is displayed.

  7. In the General tab, record or copy the Client ID and Client Secret values of your new application. These values are required when configuring OIDC in the SKP.

A new application for the SKP is now created and configured with the SKP’s Sign-On and Sign-Out Redirect URIs.

Obtain Issuer URI from Okta

  1. Click Security > API from the left navigation menu and click the Authorization Servers tab.

  2. Identify the default active authorization server for your Okta account and record or copy the Issuer URI.

Access Your Metadata URI

  1. Your Okta account’s Metadata URI can be created using the following format:
    <Issuer URI>/.well-known/openid-configuration
    For example,

    Issuer URI

    Metadata URI

    https://dev-12345678.okta.com/oauth2/default

    https://dev-12345678.okta.com/oauth2/default/.well-known/openid-configuration

  2. Enter the Metadata URI in an another tab of your web browser to generate a REST API response of your Okta account.

    Important!

    The response of your Okta account’s Metadata URI contains the scopes, endpoints, and user attributes required for configuring OIDC in the SKP.

Extract Endpoints from the Metadata URI

The SKP requires the below endpoints to configure OIDC SSO with Okta. Use the table below to either replace the Issuer URI in the endpoint format with the identified Issuer URI, or extract these endpoints using their corresponding attribute names from the response of your Okta account’s Metadata URI.

Attribute Name in the Metadata Response

Endpoint Format

Example

JWKS_URI

<Issuer URI>/v1/keys

https://dev-12345678.okta.com/oauth2/default/v1/keys

authorization_endpoint

<Issuer URI>/v1/authorize

https://dev-12345678.okta.com/oauth2/default/v1/authorize

end_session_endpoint

<Issuer URI>/v1/logout

https://dev-12345678.okta.com/oauth2/default/v1/logout

token_endpoint

<Issuer URI>/v1/token

https://dev-12345678.okta.com/oauth2/default/v1/token

Configure OIDC SSO in the SKP

  1. Log into the SKP using the Syniti provisioned administrator account to access and log in using the SKP-initiated sign-on page.

    SKP-initiated sign-on page

  2. Click Admin > Single Sign-On > Configure SSO.

  3. Select OpenID Connect to enable and configure the OIDC SSO protocol in the SKP.

  4. In the SSO Configuration Name field, enter a unique name for your organization’s Okta account.

  5. Enter the following values to the corresponding fields using the data recorded from Okta and Metadata URI:

    Field Name

    Action to be Performed

    Client ID

    Enter the identified Client ID from your organization’s Okta account.

    Client Secret

    Enter the identified Client Secret from your organization’s Okta account.

    Token Scope

    Obtain the scopes from the response of the identified Metadata URI and enter them as a space-delimited list. For example, openid profile email.

    The following scopes are required:

    • openid

    • profile

    • email

    JWKS URI

    Enter the endpoint obtained from the above table in the Extract Endpoints from the Metadata URI section.

    Login URL

    Enter the endpoint obtained from the above table in the Extract Endpoints from the Metadata URI section.

    Logout URL

    Enter the endpoint obtained from the above table in the Extract Endpoints from the Metadata URI section.

    Token URL

    Enter the endpoint obtained from the above table in the Extract Endpoints from the Metadata URI section.

  6. In the User Metadata Attributes section, enter the following values extracted using the claims_supported attribute from the response of the identified Metadata URI:

    • Name: name

    • Email Address: email

    • Identifier: sub

  7. Select Save to save your configuration in the SKP. Saving the SSO details does not activate the SSO configuration.

  8. Turn on the Active toggle button to activate the SSO configuration for your tenant.

Your SSO configuration is now complete, and the SKP is integrated with your organization’s Okta account.

Verify Your SSO Configuration

Create a Test User

You'll create a temporary test user called Test User.

  1. Access your organization’s Okta account as an Administrator.

  2. Click Directory > People > Add Person. The Add Person dialog box is displayed.

  3. In the First Name field, enter Test.

  4. In the Last Name field, enter User.

  5. In the Username field, enter the email address of this temporary user.

    Note

    The Username field is a required field and must contain the email address of the user.

  6. From the Password list, select Set By Admin and enter a password as required.

  7. Deselect the User must change password on first login checkbox.

  8. Click Save.

Assign the Test User

You’ll assign the Test User to the newly created application for the SKP in Okta.

  1. Access your organization’s Okta account as an Administrator.

  2. Click Applications > Applications from the left navigation menu and access your newly created application for the SKP.

  3. Click Assignments > Assign > Assign to People. The Assign App to the People dialog box is displayed.

  4. Search for Test User and click Assign. The Test User’s information is displayed.

  5. Click Save and Go Back to the previous page in the dialog box.

  6. Click Done to complete the user assignment.

You have successfully assigned Test User to the newly created application for the SKP in your organization’s Okta account.

Test the SSO Configuration

You don’t need to create a user account for the Test User in the SKP, as your organization’s Okta account controls and manages the access required for your users in the SKP. The SKP validates the email address used for signing-in in its database and lets you sign in to the SKP. If the entered email address is a new one, then a new user with the default viewer role is created in the SKP.

  1. Open an incognito or private window in your browser.

  2. Log into the SKP using the email address of the Test User and click Next.

  3. The Login page redirects you to the Okta-initiated login page.

  4. Enter the credentials of the Test User and sign in.

The Test User with the Default Viewer role is successfully logged into the SKP using the credentials from your organization’s Microsoft Entra ID.

Refer to the Troubleshoot Your OIDC SSO Configuration section for more information on troubleshooting issues while performing the OIDC SSO configuration.

Next Steps: Assign Existing Users or Add New Users

Now that you have configured and verified your OIDC SSO configuration, you can proceed with assigning or adding the required users with appropriate roles in your organization’s Okta account.

Refer to the Assign the Test User section for more information on assigning the required users to the newly created application for the SKP.