Okta
Last updated
Last updated
This page outlines the instructions for configuring Okta as your identity provider for SSO in BirdCRM using OpenID.
You first start by configuring specific steps in Okta and then following on with the steps required in BirdCRM before finalising your Okta configuration.
Navigate to the Applications section in Okta.
Click on Create App Integration and select OIDC - OpenID Connect and Web Application and click Next.
Fill out a name for the Application that will appear in your users Okta applications list and optionally a logo. The BirdCRM logo is shown below the screenshot for convenience.
Then fill out the following URL in the Sign-in redirect URIs section: https://api.bird.com/auth/oidc/callback
Remove the Sign-out URIs and click Save.
Once the application is created, you need to take a copy of the Client ID and Client Secret as can be seen in this screenshot. They will be needed on the BirdCRM side to complete the configuration.
Next, click on the Okta API Scopes tab for the application, scroll down to okta.myAccount.email.read and click on Grant.
This stage of the Okta setup is now complete. Once the BirdCRM instructions below are completed, there are some optional steps that can be taken in Okta to enhance the user experience.
Any user assignments can be done now for the application.
Navigate to the SSO setup page which is available here or by clicking on your Avatar in the bottom left, selecting Settings and clicking on the Security tab.
Click on Set Up SSO and select OpenID.
Fill out a name for the SSO setup and fill out your Okta URL as the Issue URL. This is normally in the format companyname.okta.com
and is the URL you use to access your Okta applications.
Copy and paste the Client ID and Client Secret that were copied from Okta in Step 4. of the Okta instructions.
In 'Other Scopes', fill out email and then select New scope: email to add it as shown in the screenshot below.
Click on Confirm and your SSO configuration will be saved.
Now we will validate your domain(s) that you will login from Okta with. First click on the Domain Validation button available when viewing your SSO integration.
Enter your company domain name that you login with (e.g. companyname.com) and click Create.
You will then be presented with a unique string under the Challenge column that needs to be placed as a TXT record in your domain. If you are unsure how to add a TXT record please consult with your DNS provider.
Once you have added the TXT record to verify your domain, you can select Verify
If the TXT record was added correctly it will then show the Status of Verified.
Now you can setup the identity provider initiated login. From the Single-Sign On page, click on the 3 dots menu on the right for your identity provider you have configured and select View.
You can then see the Initiate Login URI at the bottom which you can take a copy of to apply in your Okta configuration (see next step).
If you would like to improve the user experience and allow logins to be initiated from Okta, scroll down to General Settings of your Application and click Edit.
Change the Login initiated by to Either Okta or App.
Tick the Display application icon to users option.
Paste the Initiate Login URI you took a copy of into the Initiate login URI field in your Okta application.
Click Save.
This completes the setup and your users that you have assigned the Okta application to should now be able to login via Okta.
As an optional step, you can enforce SSO login for your organization. Please see the Enforce SSO section of the SSO page to do this.
The final setup should look similar to this: