Improve this page on GitHub

Okta SSO via OIDC

Set up Okta SSO for OIDC

Set up SSO for Okta using OIDC.
For a general overview on OIDC, see Setting up OIDC Federated SSO.

Set up OIDC SSO for Okta in Codefresh by:

  1. Setting up Okta as an IdP Codefreh in Okta
  2. Configuring SSO settings for Okta in Codefresh
  3. Configuring URIs in Okta

Step 1: Set up Okta as an identity provider

  1. Log in to your Okta account, or create an Okta account if you don’t have one.
  2. In the general Okta dashboard, to open the Okta Admin Dashboard, select Admin.

Okta Dashboard

Okta Dashboard
  1. From the list of shortcuts on the right, select Add Applications.

Okta Applications

Okta Applications
  1. Select Create New App.

Create new application

Create new application
  1. In the Create a New Application Integration pop-up, do the following:
    • From the Platform drop-down, select Web as the platform for Codefresh.
    • For the Sign on method, select OpenID Connect.
    • Select Create.

Choose Sign-on method

Choose Sign-on method
  1. Configure OIDC integration in General Settings:
    • App name (e.g. Codefresh).
    • App logo (optional). Feel free to download and add this picture.
    • Login redirect URI: https://g.codefresh.io/api/auth/<codefresh_client_name>/callback
      where:
    is generated by Codefresh when you configure SSO settings. For now, use a temp value such as `https://g.codefresh.io/api/auth/temp/callback`. * Select **Save**.

OpenID integration

OpenID integration
  1. Continue with Step 2: Configure OIDC SSO settings for Okta in Codefresh.

Step 2: Configure OIDC SSO settings for Okta in Codefresh

To configure OIDC SSO settings for Okta in Codefresh, you need the Client ID, Client Secret, Access token, and the Codefresh application ID as defined in Okta.

Before you begin
Copy the values from the following screens in Okta:

Client ID and secret

Client ID and secret

The API token generated in OKTA from Security tab >API.

API token in Okta to use as Access token

API token in Okta to use as Access token

This Application ID assigned to the Codefresh application in Okta.

App ID

App ID

How to

  1. In the Codefresh UI, from the toolbar click the Settings icon.
  2. In the sidebar, from Access & Collaboration, select Single Sign-On.
  3. Select + Add Single Sign-On, select Okta and then click Next.

SSO settings for Okta in Codefresh

SSO settings for Okta in Codefresh
  1. Enter the following:
    • Client Name: For-auto generation, leave empty. Codefresh generates the client name once you save the settings.
    • Display Name: The Application name in OKTA.
    • Access Token: Optional. The OKTA API token that you generated in Okta, used to sync groups and their users from OKTA to Codefresh.
    • Client ID: The OKTA application client ID you copied from Okta (see above).
    • Client Secret: The OKTA application client secret you copied from OKta (see above).
    • Client Host: The OKTA organization URL, for example, https://<company>.okta.com.
      Do not copy the URL from the admin view (e.g. https://<company>-admin.okta.com), as it will not work.
    • Application ID: The Codefresh application ID in your OKTA organization, that will be used to sync groups and user from OKTA to Codefresh.
  2. Optional. To automatically sync teams or groups in Okta to Codefresh, select Auto group sync.
    This action syncs groups every 12 hours.

    Though you can assign an Okta application to both groups and individual users, Codefresh only syncs users who are part of teams.
    New users in Okta, not assigned to a team, are NOT synced with Codefresh. You should first assign the user to a team for the sync to work.

  3. Select +Add.
    Codefresh automatically generates the Client Name to which to identify the SSO configuration. Note it down.

Client name

Client name
  1. Click Add.
  2. Continue with Step 3: Configure URIs in Okta.

Step 3: Configure URIs in Okta

  1. In the Okta application, go to General Settings, and update the following with the client name generated by Codefresh:
    • Login redirect URIs: https://g.codefresh.io/api/auth/<codefresh_client_name>/callback
    • Initiate login URI: https://g.codefresh.io/api/auth/<codefresh_client_name>

You have now completed SSO setup for Okta.

How Okta syncing works

Syncing with Okta only affects teams/groups, and not individual users.

Sync teams after initial SSO setup

There are two ways to set up automatic syncing of teams:

  • Pipeline running a CLI command: Create a Codefresh pipeline the runs the CLI command codefresh synchronize teams my-okta-client-name -t okta as explained in the pipeline sync page.
  • Turn on the auto-sync toggle as part of the SSO configuration settings.:

Automatic team syncing

Automatic team syncing

Federated Single Sign-On (SSO) overview
Common configuration for SSO providers