Create an OIDC integration using AIW


An OpenID Connect (OIDC) integration provides an identity layer on top of the OAuth 2.0 protocol to verify end-user identity and obtain profile information.

For detailed information about the OpenID Connect Foundation and to review the detailed specification, see Welcome to OpenID Connect.

Before you begin

Task 1: Launch the Wizard

  1. Verify that you are using the Admin Console. If you are using the Developer Console, you need to switch over to the Admin Console. If you see < > Developer Console in the top left corner of your console, click it, then click Classic UI to switch.
  2. In the Admin Console, go to Applications >Applications.
  3. Click Add Application.
  4. Click Create New App.
  5. To create an OIDC integration, select either Web, Native App, or Single Page App (SPA) as the Platform and OpenID Connect for the Sign on method.
  6. Click Create.

Task 2: Configure initial settings

The Open ID Connect App Wizard has two sections:

  1. In General Settings:
    • App name — Specify a name identifier for your integration.
      Info

      Note

      The name can only consist of UTF-8, 3 byte characters

    • Optional. App logo — Add a logo to accompany your integration in the Okta org. The logo file must be PNG, JPG, or GIF format and be smaller than 1 MB in size. For best results, use a PNG image with a transparent background, a landscape orientation, and use a minimum resolution of 420 x 120 pixels to prevent upscaling.
  2. In Configure OpenID Connect:
    • Login Redirect URIs — The URIs must be absolute URIs. You can specify more than one.
    • Optional. Logout Redirect URIs — The URIs must be absolute URIs. You can specify more than one.
  3. Click Save. This creates the integration and opens the settings page to configure additional options.

Task 3: Configure OIDC settings

The options in the General Settings tab are similar for all OIDC integration types. Click Edit  to change any of the listed options.

Web apps

  • Select from among the different grant type options.
  • Enter one or more Login redirect URIs where Okta will send OAuth responses.
  • Enter one or more Logout redirect URIs where Okta will redirect the browser after logging out from the relying-party and terminating its end-user session.
  • Select a Login initiated by setting to specify if the sign-in process is initiated directly by the application in the background, or if either the application or Okta can initiate the sign-in request.
    • If you select App Only, the application is started in the background, without an Okta tile appearing.
    • If you select Either Okta or App, your integration uses an Okta tile:
      • ​Select the appropriate Application visibility option.
      • Select the appropriate Login flow option. If you choose Send ID Token directly to app (Okta Simplified), you're also able to choose OIDC scopes for the flow.
      • An App Embed Link section is displayed at the bottom of the settings page, showing the URL that you can use to sign in to the OIDC client from outside of Okta.

    You can use the API endpoint openid-configuration to configure Okta interactions programmatically. When a web application contains the implicit value for grant_types_supported, admins can publish integrations with the Login Initiated By feature. For more information about OIDC clients and the API, see the OpenID Connect API.

  • Enter or change the Initiate login URI used to initiate the sign-in request.
  • Click Save to commit your changes.
  • If required, you can generate a new client secret. In the Client Credentials section, click Edit then click Generate New Client Secret.

Native apps

  • Select from among the different grant type options.
  • Enter one or more Login redirect URIs where Okta will send OAuth responses.
  • Enter one or more Logout redirect URIs where Okta will redirect the browser after logging out from the relying-party and terminating its end-user session.
  • Click Save to commit your General Settings changes.
  • In the Client Credentials section, you can select a Client authentication type:
    • Use PKCE (for public clients) — Recommended for native applications. By requiring a Proof Key for Code Exchange (PKCE), this option ensures that only the client that requested the access token can redeem it.
    • Use Client Authentication — This option is not recommended for distributed native applications. A client secret is embedded in the client and sent with requests to prove the client's identity.
    • If required, you can generate a new client secret when using client authentication. In the Client Credentials section, click Edit  then Generate New Client Secret.

  • Click Save to commit your changes.

Single page apps

  • Select from among the different grant type options.
  • Enter one or more Login redirect URIs where Okta will send OAuth responses.
  • Enter one or more Logout redirect URIs where Okta will redirect the browser after logging out from the relying-party and terminating its end-user session.
  • Select a Login initiated by setting to specify if the sign-in process is initiated directly by the application in the background, or if either the application or Okta can initiate the sign-in request.
    • If you select App Only, the application is started in the background, without an Okta tile appearing.
    • If you select Either Okta or App, your integration uses an Okta tile:
      • ​Select the appropriate Application visibility  option.
      • Select the appropriate Login flow  option. If you choose Send ID Token directly to app (Okta Simplified), you're also able to choose OIDC scopes for the flow.
      • An App Embed Link section is displayed, showing the URL that you can use to sign in to the OIDC client from outside of Okta.

    You can use the API endpoint openid-configuration to configure Okta interactions programmatically. When a web application contains the implicit value for grant_types_supported, admins can publish apps with the Login Initiated By feature. For more information about OIDC clients and the API, see the OpenID Connect API.

  • Enter or change the Initiate login URI used to initiate the sign-in request.
  • Click Save to commit your changes.

Task 4: Configure optional settings

Consent

This is an Early Access feature. To enable it, contact Okta Support.

If you have enabled User Consent for OAuth 2.0 Flows in API Access Management, then the following section appears in the General Settings tab for an OIDC integration.

Screenshot of user consent section showing the require consent check box

If you want prompt the user with a pop-up window to approve the integration's access to specified resources, check the Require consent box. Additionally, you can set up the consent for an OIDC scope in your custom authorization, as described in the Create Scopes section of API Access Management.

Set the Groups Claim Filter

  1. Go to the Sign On tab and scroll down to the  OpenID Connect ID Token section.
  2. Select the Groups claim type. You can select either a Filter for existing group claims, or chose an Expression to create a custom filter on a different group claim. If the value you specify in Groups claim filter matches more than 100 groups, an error occurs when the API tries to create ID tokens.

    For more information about Group claims for Single Sign-On, see Customize tokens returned from Okta.

Next steps