# Okta
his page outlines the instructions for configuring Okta as your identity provider for SSO in BirdCRM using OpenID.
You first start by configuring specific steps in Okta and then following on with the steps required in BirdCRM before finalising your Okta configuration.
### Step one: Intitial setup in Okta
1. Navigate to the **Applications** section in Okta.
2. Click on **Create App Integration** and select OIDC - OpenID Connect and Web Application and click **Next**.
3. Fill out a name for the Application that will appear in your users Okta applications list and optionally a logo. The BirdCRM logo is shown below the screenshot for convenience.
4. Then fill out the following URL in the Sign-in redirect URIs section: `https://api.bird.com/auth/oidc/callback`
5. Remove the Sign-out URIs and click **Save**.
6. Once the application is created, you need to take a copy of the Client ID and Client Secret as can be seen in this screenshot. They will be needed on the BirdCRM side to complete the configuration.
7. Next, click on the Okta API Scopes tab for the application, scroll down to okta.myAccount.email.read and click on **Grant**.
8. This stage of the Okta setup is now complete. Once the BirdCRM instructions below are completed, there are some optional steps that can be taken in Okta to enhance the user experience.
9. Any user assignments can be done now for the application.
### Step two: Set up in Bird
1. Navigate to the [Settings](https://app.staging.bird.one/settings/security/access-settings) page by clicking on Settings in the bottom left, then selecting **Access Management** under the **Organization** tab.
2. Click **Set Up SSO**, then select **OpenID**.
1. Fill out a name for the SSO setup and fill out your Okta URL as the Issue URL. This is normally in the format `companyname.okta.com` and is the URL you use to access your Okta applications.
2. Copy and paste the Client ID and Client Secret that were copied from Okta in Step 4. of the Okta instructions.
3. In 'Other Scopes', fill out email and then select **New scope: email** to add it as shown in the screenshot below.
4. The final setup should look similar to this:\
5. Click on **Confirm** and your SSO configuration will be saved.
6. Now we will validate your domain(s) that you will login from Okta with. First click on the **Domain Validation** button available when viewing your SSO integration.
7. Enter your company domain name that you login with (e.g. companyname.com) and click **Create**.
8. You will then be presented with a unique string under the Challenge column that needs to be placed as a TXT record in your domain. If you are unsure how to add a TXT record please consult with your DNS provider.
9. Once you have added the TXT record to verify your domain, you can select **Verify**
10. If the TXT record was added correctly it will then show the Status of Verified.
11. Now you can setup the identity provider initiated login. From the Single-Sign On page, click on the 3 dots menu on the right for your identity provider you have configured and select **View**.
12. You can then see the Initiate Login URI at the bottom which you can take a copy of to apply in your Okta configuration (see next step).
### Step three: Allow login from Okta
1. If you would like to improve the user experience and allow logins to be initiated from Okta, scroll down to General Settings of your Application and click **Edit**.
2. Change the Login initiated by to Either Okta or App.
3. Tick the Display application icon to users option.
4. Paste the Initiate Login URI you took a copy of into the **Initiate login URI field** in your Okta application.
5. Click **Save**.
{% hint style="success" %}
This completes the setup and your users that you have assigned the Okta application to should now be able to login via Okta.
As an optional step, you can enforce SSO login for your organization. Please see the [Enforce SSO](https://docs.bird.com/applications/settings/account/organization-settings/single-sign-on-sso/enforce-single-sign-on-sso) section of the SSO page to do this.
{% endhint %}
