Create an OIDC integration using AIW


An OpenID Connect (OIDCOpenID Connect (OIDC) is an authentication layer on top of OAuth 2.0, an authorization framework. The standard is controlled by the OpenID Foundation.) integration provides an identity layer on top of the OAuth 2.0 protocol to verify end-user identity and obtain profile information.

For detailed information about the OpenID Connect Foundation and to review the detailed specification, see Welcome to OpenID Connect.

Before you begin

Task 1: Launch the Wizard

  1. Verify that you are using the AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. Console. If you are using the Developer Console, you need to switch over to the Admin Console. If you see < > Developer Console in the top left corner of your console, click it, then click Classic UI to switch.
  2. In the Admin Console, go to Applications >Applications.
  3. Click Add Application.
  4. Click Create New AppAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in..
  5. To create an OIDC integration, select either Web, Native App, or Single Page App (SPA) as the Platform and OpenID Connect for the Sign on method.
  6. Click Create.

Task 2: Configure initial settings

The Open ID Connect App Wizard has two sections:

  1. In General Settings:
    • App name — Specify a name identifier for your integration.
      Info

      Note

      The name can only consist of UTF-8, 3 byte characters

    • Optional. App logo — Add a logo to accompany your integration in the Okta orgThe Okta container that represents a real-world organization.. The logo must be a .png, .jpg, or .gif file and have dimensions of less than 1400 by 400 pixels. It also must be smaller than 100 kilobytes in size.
  2. In Configure OpenID Connect:
    • Login Redirect URIs — The URIs must be absolute URIs. You can specify more than one.
    • Optional. Logout Redirect URIs — The URIs must be absolute URIs. You can specify more than one.
  3. Click Save. This creates the integration and opens the settings page to configure additional options.

Task 3: Configure OIDC settings

The options in the General Settings tab are similar for all OIDC integration types. Click Edit  to change any of the listed options.

Web apps

  • Select from among the different grant type options.
  • Enter one or more Login redirect URIs where Okta will send OAuth responses.
  • Enter one or more Logout redirect URIs where Okta will send relying-party initiated sign-out requests.
  • Select a Login initiated by setting to specify if the sign-in process is initiated directly by the application in the background, or if either the application or Okta can initiate the sign-in request.

    You can use the API endpoint openid-configuration to configure Okta interactions programmatically. When a web application contains the implicit value for grant_types_supported, admins can publish integrations with the Login Initiated By feature. For more information about OIDC clients and the API, see the OpenID Connect API.

  • Enter or change the Initiate login URI used to initiate the sign-in request.
  • Click Save to commit your changes.
  • If required, you can generate a new client secret. In the Client Credentials section, click Edit then click Generate New Client Secret.

Native apps

Single page apps

  • Select from among the different grant type options.
  • Enter one or more Login redirect URIs where Okta will send OAuth responses.
  • Enter one or more Logout redirect URIs where Okta will send relying-party initiated sign-out requests.
  • Select a Login initiated by setting to specify if the sign-in process is initiated directly by the application in the background, or if either the application or Okta can initiate the sign-in request.
    • If you select App Only, the application is started in the background, without an Okta tile appearing.
    • If you select Either Okta or App, your integration uses an Okta tile:
      • ​Select the appropriate Application visibility  option.
      • Select the appropriate Login flow  option. If you choose Send ID Token directly to app (Okta Simplified), you're also able to choose OIDC scopes for the flow.
      • An App Embed Link section is displayed, showing the URL that you can use to sign in to the OIDC client from outside of Okta.

    You can use the API endpoint openid-configuration to configure Okta interactions programmatically. When a web application contains the implicit value for grant_types_supported, admins can publish apps with the Login Initiated By feature. For more information about OIDC clients and the API, see the OpenID Connect API.

  • Enter or change the Initiate login URI used to initiate the sign-in request.
  • Click Save to commit your changes.

Task 4: Configure optional settings

Consent

This is an Early AccessEarly Access (EA) features are opt-in features that you can try out in your org by asking Okta Support to enable them. Additionally, the Features page in the Okta Admin Console (Settings > Features) allows Super Admins to enable and disable some EA features themselves. feature. To enable it, contact Okta Support.

If you have enabled User Consent for OAuth 2.0 Flows in API Access Management, then the following section appears in the General Settings tab for an OIDC integration.

Screenshot of user consent section showing the require consent check box

If you want prompt the user with a pop-up window to approve the integration's access to specified resources, check the Require consent box. Additionally, you can set up the consent for an OIDC scopeA scope is an indication by the client that it wants to access some resource. in your custom authorization, as described in the Create Scopes section of API Access Management.

Set the Groups Claim Filter

  1. Go to the Sign On tab and scroll down to the  OpenID Connect ID Token section.
  2. Select the GroupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. claim type. You can select either a Filter for existing group claims, or chose an Expression to create a custom filter on a different group claim. If the value you specify in Groups claim filter matches more than 100 groups, an error occurs when the API tries to create ID tokens.

    For more information about Group claims for Single Sign-On, see Customize tokens returned from Okta.

Next steps

Top