Setting Up Okta Single Sign-On (SSO)
In this page we will see the process of setting up Okta SSO with Codefresh. For the general instructions of SSO setup see the overview page.
Setting Okta as an Identity provider
- Log in to your Okta account, or create an account if you don’t have one.
- In the general Okta dashboard, to go to the Okta Admin Dashboard, click Admin.
- Using the list of shortcuts at the left-hand side of the screen, select Applications.
- In the Applications page, select Create App Integration.
- In the Create a New Application Integration pop-up window, select OIDC - OpenID Connect as the Sign on method and Web Application as the Application Type. Click Next to proceed.
- You will now create your OIDC integration. On the General Settings page, provide the following:
- App Integration name (e.g. Codefresh)
- Logo (optional). Feel free to download and add this picture
- Sign-in redirect URI:
https://g.codefresh.io/api/auth/<your_codefresh_client_name>/callback. You will extract your Codefresh client name a bit later in the process, so we’ll need to come back to this and update it again - for now please use a temp value such as
- Click Save to proceed.
Configure Okta integration in Codefresh
Configure the integration settings for Okta in the Codefresh UI and get the value of the Client name on saving the settings.
- In the Codefresh UI, go to the SSO Settings page, and select Okta.
- Enter the following:
- Display Name - shown as application name in OKTA.
- Client ID - your OKTA application client ID (see below).
- Client secret - your OKTA application client secret (see below).
- Client Host - your OKTA organization url (e.g
https://<company>.okta.com). Do not copy it from the admin view (e.g.
https://<company>-admin.okta.com) because it will not work.
- Access Token (optional) - OKTA API token that will be used to sync groups and users from OKTA to Codefresh. The token can be generated in OKTA by going to the Security tab -> API -> Tokens (see below). Read-only access permissions are needed.
- App ID - your Codefresh application ID in your OKTA organization that will be used to sync groups and users from OKTA to Codefresh. This ID can be taken by navigating to your Codefresh APP in OKTA and copying it from the URL (see below).
- Once you save the Identity provider, Codefresh assigns a client-name to it which identifies the SSO configuration. Note it down.
Add the client name to the Okta application settings
Copy the Client Name generated on saving the Okta configuration settings, and update the Okta application settings.
- Return to your OKTA Application General Settings, and update the following configurations with the client name generated by Codefresh:
- Login redirect URIs -
- Initiate login URI -
This concludes the SSO setup for Okta.
How Okta syncing works
It is important to notice that syncing with Okta only affects teams/groups, and not individuals/persons.
You can assign an Okta application in both groups and individual people. Codefresh will only sync people that are inside teams. Newly created people in Okta that are not assigned to a team will NOT be synced to Codefresh. You should assign them to a team first, and then they will be synced as part of the team.
Syncing of teams after initial SSO setup
There are two ways that you can set up automatic syncing of teams.
First, you can create a Codefresh pipeline that runs the CLI command
codefresh synchronize teams my-okta-client-name -t okta as explained in the pipeline sync page.
Alternatively, you can set up completely automated syncing by enabling the auto-sync toggle found in the top right of the integration:
When enabled, Codefresh syncs teams automatically every 12 hours without the need of a pipeline.
What to read next
See the overview page on how to test the integration, activate SSO for collaborators and create sync jobs.