Okta SSO via OIDC
Set up Okta SSO for OIDC
Set up SSO for Okta using OIDC.
For a general overview on OIDC, see Setting up OIDC Federated SSO.
Set up OIDC SSO for Okta in Codefresh by:
- Setting up Okta as an IdP Codefreh in Okta
- Configuring SSO settings for Okta in Codefresh
- Configuring URIs in Okta
Step 1: Set up Okta as an identity provider
- Log in to your Okta account, or create an Okta account if you don’t have one.
- In the general Okta dashboard, to open the Okta Admin Dashboard, select Admin.
- From the list of shortcuts on the right, select Add Applications.
- Select Create New App.
- In the Create a New Application Integration pop-up, do the following:
- From the Platform drop-down, select Web as the platform for Codefresh.
- For the Sign on method, select OpenID Connect.
- Select Create.
- Configure OIDC integration in General Settings:
- App name (e.g. Codefresh).
- App logo (optional). Feel free to download and add this picture.
- Login redirect URI:
is generated by Codefresh when you configure SSO settings. For now, use a temp value such as `https://g.codefresh.io/api/auth/temp/callback`. * Select **Save**.
- Continue with Step 2: Configure OIDC SSO settings for Okta in Codefresh.
Step 2: Configure OIDC SSO settings for Okta in Codefresh
To configure OIDC SSO settings for Okta in Codefresh, you need the Client ID, Client Secret, Access token, and the Codefresh application ID as defined in Okta.
Before you begin
Copy the values from the following screens in Okta:
The API token generated in OKTA from Security tab >API.
This Application ID assigned to the Codefresh application in Okta.
- In the Codefresh UI, from the toolbar click the Settings icon.
- In the sidebar, from Access & Collaboration, select Single Sign-On.
- Select + Add Single Sign-On, select Okta and then click Next.
- Enter the following:
- Client Name: For-auto generation, leave empty. Codefresh generates the client name once you save the settings.
- Display Name: The Application name in OKTA.
- Access Token: Optional. The OKTA API token that you generated in Okta, used to sync groups and their users from OKTA to Codefresh.
- Client ID: The OKTA application client ID you copied from Okta (see above).
- Client Secret: The OKTA application client secret you copied from OKta (see above).
- Client Host: The OKTA organization URL, for example,
Do not copy the URL from the admin view (e.g.
https://<company>-admin.okta.com), as it will not work.
- Application ID: The Codefresh application ID in your OKTA organization, that will be used to sync groups and user from OKTA to Codefresh.
- Optional. To automatically sync teams or groups in Okta to Codefresh, select Auto group sync.
This action syncs groups every 12 hours.
Though you can assign an Okta application to both groups and individual users, Codefresh only syncs users who are part of teams.
New users in Okta, not assigned to a team, are NOT synced with Codefresh. You should first assign the user to a team for the sync to work.
- Select +Add.
Codefresh automatically generates the Client Name to which to identify the SSO configuration. Note it down.
- Click Add.
- Continue with Step 3: Configure URIs in Okta.
Step 3: Configure URIs in Okta
- In the Okta application, go to General Settings, and update the following with the client name generated by Codefresh:
- Login redirect URIs:
- Initiate login URI:
- Login redirect URIs:
You have now completed SSO setup for Okta.
How Okta syncing works
Syncing with Okta only affects teams/groups, and not individual users.
Sync teams after initial SSO setup
There are two ways to set up automatic syncing of teams:
- Pipeline running a CLI command: Create a Codefresh pipeline the runs the CLI command
codefresh synchronize teams my-okta-client-name -t oktaas explained in the pipeline sync page.
- Turn on the auto-sync toggle as part of the SSO configuration settings.:
Federated Single Sign-On (SSO) overview
Common configuration for SSO providers