Skip to main content
Sign in

Configuring Okta SSO

Diskover Envoy Admin
  • Updated

Note: These instructions apply to the Okta Admin Console (Workforce Identity Cloud). If your organization uses Okta Customer Identity Cloud (Auth0), the configuration steps will differ — contact support for guidance.

Follow these steps to set up and configure Okta SSO with CloudSoda (using this link for reference):

Step 1: Create an App Integration in Okta

  1. Sign in to the Okta Admin Console.
  2. Navigate to Applications > Applications.
  3. Click Create App Integration.
  4. In the dialog:
    • Select OIDC - OpenID Connect as the Sign-in method.
    • Select Web Application as the Application type.
    • Click Next.

Step 2: Configure the New Web App Integration in Okta

  1. Enter a name in the App integration name field.
  2. Under Grant type, ensure Authorization Code is selected (this is the default for web applications and cannot be cleared).
  3. In the Sign-in redirect URIs field, enter a temporary placeholder value (e.g., https://placeholder.example.com/callback). You will update this with the correct value from CloudSoda in a later step.

  4. Select the desired Assignment (controls which Okta users can access this application).

    Selecting "Allow everyone in your organization to access" enables Federation Broker Mode, which grants all Okta users access to CloudSoda and disables manual user assignment. To restrict access to specific users or groups, choose "Limit access to selected groups" instead.

  5. Click Save. The application is created and the application detail page displays.
  6. Under Client Credentials, copy the Client ID.
  7. Copy the Client secret (click the copy icon or use the clipboard button).

Note: The Client Secret can be rotated later if needed — Okta allows you to generate new secrets and have multiple active secrets during rotation.

Step 3: Get the Issuer URL from Okta

  1. In the Okta Admin Console, navigate to Security > API.
  2. In the Authorization Servers tab, locate the default authorization server.
  3. Copy the Issuer URI displayed in the table (e.g., https://yourcompany.okta.com/oauth2/default).

Step 4: Configure the Identity Provider in CloudSoda

  1. Open CloudSoda.
  2. Navigate to Settings > Users (top-right).
  3. Click Configure SSO > Add Provider.
  4. In the Create Identity Provider window:
    • Enter a Name.
    • Select OIDC (Okta) from the Protocol drop-down.
    • Paste the Issuer URI from Step 3 into the Issuer field.
    • Set Authorization Flow to Authorization Code (this is the default).
    • Paste the Client ID from Step 2 into the Client ID field.
    • Enable the Confidential Client toggle.
    • Paste the Client Secret from Step 2 into the Client Secret field.
  5. Click Configure.

⚠️ Important: The Issuer value cannot be changed after the identity provider is saved. Verify it is correct before proceeding.

Step 5: Update the Redirect URI in Okta

  1. In CloudSoda, open the newly created Okta Identity Provider record and copy the Redirect URI.
  2. Return to the Okta Admin Console.
  3. Navigate to Applications > Applications and select your CloudSoda app integration.
  4. Click Edit under General Settings.
  5. Replace the placeholder value in Sign-in redirect URIs with the Redirect URI copied from CloudSoda.
  6. Click Save.

Note: The Sign-in redirect URI in Okta can be updated later if your CloudSoda URL changes (e.g., DNS changes). You can also have multiple redirect URIs if needed.

Step 6: Enable SSO in CloudSoda

  1. In CloudSoda, close the Identity Provider detail window.
  2. Click the Enable icon next to the Okta Identity Provider record.
  3. Open a new browser session (or incognito window) and navigate to CloudSoda. Select Log in with Okta to verify the integration.

Troubleshooting

"You are not allowed to access this app. To request access, contact an admin."

This error is typically caused by a missing Access Policy on the Okta authorization server. To resolve:

  1. In the Okta Admin Console, go to Security > API.
  2. Click on the authorization server you are using (e.g., default).
  3. Navigate to the Access Policies tab.
  4. Verify that a policy and rule exist that allow the Authorization Code grant for your application.

If no policy or rule exists, you will need to create one. Refer to Okta's Configure an access policy documentation for details.

Was this article helpful?
0 out of 0 found this helpful
Return to top

Related articles

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk