Connect to Okta as an OpenID Connect Identity Provider

Connect to Okta as an OpenID Connect Identity Provider

Prerequisites

Steps

To connect your application to an OIDC Identity Provider, you must:

  1. Register your app with Okta

  2. Create an enterprise connection in Auth0

  3. Enable the enterprise connection for your Auth0 Application

  4. Create a test user

  5. Test the connection

Register your app with Okta

To allow users to log in using Okta, you'll need to register your application. See Register your app (Okta Documentation) for more information.

  1. Login to your Okta account.

  2. Select Applications > Applications, then Create App Integration.

  3. Select Create New App and enter the following:

    1. For Sign-in method, choose OIDC.

    2. Under Application type, choose Web app.

    3. Select Next.

  4. Under General Settings:

    1. App integration name, enter a name for your application.

  5. In the Sign-in redirect URIs field, enter https://your-tenant.auth0.com/login.

  6. Select Save.

Once you finish registering your application with Okta, save the Client ID and Client Secret to use in the next step.

Create an enterprise connection in Auth0

Next, you will need to create and configure a OIDC Enterprise Connection in Auth0. Make sure you have the Application (client) ID and the Client secret generated when you set up your app in the OIDC provider.

Create an enterprise connection using the Dashboard

  1. Navigate to Auth0 Dashboard > Authentication > Enterprise, locate Open ID Connect, and click its +.

    Dashboard - Connections - Enterprise
  2. Enter details for your connection, and select Create:

    Field Description
    Connection name Logical identifier for your connection; it must be unique for your tenant. Once set, this name can't be changed.
    Issuer URL URL where Auth0 can find the OpenID Provider Configuration Document. For Okta this should be either of the following:

    • https://<YOUR_OKTA_DOMAIN>/.well-known/openid-configuration
    • https://<YOUR_OKTA_DOMAIN>/oauth2/<AUTH_SERVER_ID>/.well-known/

    You can enter the base URL or the full URL. You will see a green checkmark if it can be found at that location, a red mark if it cannot be found, or an error message if the file is found but the required information is not present in the configuration file.
    Client ID Unique identifier for your registered Okta application. Enter the saved value of the Client ID for the app you registered with the OIDC Identity Provider.
    Callback URL URL to which Auth0 redirects users after they authenticate. Ensure that this value is configured for the app you registered with the OIDC Identity Provider.
    Sync user profile attributes at each login When enabled, Auth0 automatically syncs user profile data with each user login, thereby ensuring that changes made in the connection source are automatically updated in Auth0.

    Find your Auth0 domain name for redirects

    If your Auth0 domain name is not shown above and you are not using our custom domains feature, your domain name is a concatenation of your tenant name, your regional subdomain, and auth0.com, separated by the dot (.) symbol.

    For example, if your tenant name is exampleco-enterprises, and your tenant is in the US region, your Auth0 domain name would be exampleco-enterprises.us.auth0.com and your Redirect URI would be https://exampleco-enterprises.us.auth0.com/login/callback.

    However, if your tenant is in the US region and was created before June 2020, then your Auth0 domain name would be exampleco-enterprises.auth0.com and your Redirect URI would be https://exampleco-enterprises.auth0.com/login/callback.

    If you are using custom domains, your Redirect URI would be https://<YOUR CUSTOM DOMAIN>/login/callback.

    New OpenID Connect Enterprise Connection

  3. In the Settings view, make additional configuration adjustments, if necessary.

    Field Description
    Issuer URL Click Show Issuer Details to view the Issuer URL Advanced Settings and make adjustments.
    Type Set to Front Channel or Back Channel. Front Channel uses the OIDC protocol with response_mode=form_post and response_type=id_token. Back Channel uses response_type=code.
    Scopes A comma-separated list of Auth0 scopes to request when connecting to the Identify Provider. This will affect the data stored in the user profile. You are required to include at least the openid scope. Note that the connection does not call /userinfo endpoint and expects the user claims to be present in the id_token.

    1. Name your connection.

    2. Add the Issuer URL from your Okta instance.

    3. Under Type, choose Back Channel.

    4. Enter the Client ID and Client Secret from your Okta application.

    5. Enter Auth0 scopes to request when connecting to the Identify Provider.

    6. Select Save Changes.

  4. In the Login Experience view, configure how users log in with this connection.

    Field Description
    Identity Provider domains A comma-separated list of the domains that can be authenticated in the Identify Provider. This is only applicable when using Identifier First authentication in the Universal Login Experience.
    Add button (Optional) Display a button for this connection in the login page.
    Button display name (Optional) Text used to customize the login button for new Universal Login. When set the button reads: "Continue with {Button display name}".
    Button logo URL (Optional) URL of image used to customize the login button for new Universal Login. When set, the Universal Login login button displays the image as a 20px by 20px square.

  5. Select Save Changes.

Enable the enterprise connection for your Auth0 application

To use your new enterprise connection, you must first enable the connection for your Auth0 Applications.

Create a test user

Before you can test this connection, you need to:

  1. Navigate to Directory > People.

    1. Select Add Person.

    2. Enter user test details, including a password.

    3. Save the test user.

  2. Assign your application to a user.

  3. Return to Directory > People, and choose your new user.

  4. On the Applications tab, choose Assign Applications.

  5. Select the application you created.

Test the connection

Now you're ready to test your connection.

Federate with Auth0

The OpenID Connect enterprise connection is extremely useful when federating to another Auth0 tenant. Just enter your Auth0 tenant URL (for example, https://<tenant>.us.auth0.com) in the Issuer field, and enter the Client ID for any application in the tenant to which you want to federate in the Client ID field.