Skip to main content

Steps to set Okta as an OIDC identity provider

1
Navigate to the Applications view within your Okta Administrator Dashboard.
2
Click on Create App Integration.
3
A dialog appears, select OIDC - OpenID Connect as the sign-in method.
4
For the application type, select Web Application and click on Next.
Create new app integration page for selecting sign-in method and application type
5
Now give the app a name.
Web app integration settings showing App integration name field set to My Web App/>
6
For Grant Type, keep the defaults.
7
Scroll down to the Assignments section and select one of the options based on your choice and then click on Save.
Cosmo Docs access assignment dialog with options for group or org-wide access/>
8
Copy the Client ID and Client Secret.
Client Credentials section editing client ID for OAuth flows
9
Navigate to Security -> API.
Client Credentials section editing client ID and authentication settings
10
Select the default authorization server.
11
Copy the Metadata URI.
Default authorization server settings highlighting metadata URI in Cosmo Docs
12
Navigate to the settings page on Cosmo.
Organization settings showing name, slug, and status of AI, RBAC, and SCIM features
13
Give the connection a name, paste the Metadata URI copied before, into the Discovery Endpoint,and paste the Client ID and Client secret copied before into the Client ID and Client Secret fields respectively,and then click on Connect.
Connect OpenID Connect Provider form with fields for name, endpoint, and credentials
14
Configure the mapping between the roles in Cosmo and the user groups in Okta. The field Group in the provider can be populated with the name of the group or a regex to match the user groups. Once all the mappers are configured, click on Save.
Group mapper configuration dialog linking provider groups to Cosmo roles
15
Copy the sign-in and sign-out redirect URIs displayed in the dialog.
Steps to configure OIDC provider with sign-in and sign-out redirect URLs
16
Navigate back to the application created on Okta and populate the Sign-in and Sign-out redirect URIs with the above-copied values. Click on Save.
Login configuration specifying sign-in and sign-out redirect URIs and login initiator
17
Navigate to Security-> API, and click on the default auth server. Navigate to the claims tab and then click on Add Claim.
Access Policies section showing claims list and Token Preview button
18
Name the claim “ssoGroups”, and include it in the ID Token, for the value type select Groups, and for the filter select Matches regex and populate the field with ”.*”.Click on Create.
Add Claim dialog for ssoGroups with filters, scopes, and create button
19
Now you can assign users/groups to the application, and those users will be able to log into Cosmo using the URL provided on setting up the provider.
Please make sure that the users added to the application have a username.