Set up an Okta OIDC Connection

Stytch's Single Sign On (SSO) product allows your customers to log into your application via third party Identity Providers, like Okta. In this guide, you'll learn how to configure an Okta OIDC SSO connection, which is something that your customers will need to complete before their team members will be able to log into your application via SSO.

If you're interested in setting up an Okta SAML SSO connection instead, see our Set up an Okta SAML Connection guide.

By the end of this guide, you'll have:

  • a new Okta OIDC Connection that is fully configured and ready for use.
  • a new Okta application that can be used to provision access to your application.
  • a Stytch B2B implementation that can use SSO for authentication.

Before you start

  • Create a Stytch B2B project via the Stytch Dashboard if you don't have one already. To do so, click on your existing project name in top left corner of the Dashboard, click Create a new project, and then select B2B Authentication.
  • Create a new Organization by calling our Create an Organization endpoint:
curl --request POST \
	--url \
	-H 'Content-Type: application/json' \
	-d '{
		"organization_name": "Example Org Inc.",
		"organization_slug": "example-org"

Step 1: Create a new OIDC connection

Call our Create OIDC Connection endpoint in order to create a new OIDC Connection. Include the organization_id that you'd like the Connection to belong to and a display_name for the Connection like "Okta".

curl --request POST \
	-H 'Content-Type: application/json' \
	-d '{
	  "display_name": "Okta"

Save the redirect_url and connection_id values from the connection object in the Create OIDC connection response for use in Step 2, where you'll use those values to configure a new Okta Application, and later in Step 4.

Step 2: Create and configure a new Okta Application

  1. Log into and click Create App Integration in the Applications tab:

    Create App Integration button in Okta

  2. Select OIDC - OpenID Connect and Web Application:

    App type selection screen in Okta

  3. Enter the name of your application and (optionally) your application's logo.

  4. Under Grant type, select Authorization Code:

    Okta grant type selection

  5. In the Sign-in redirect URIs section, add the redirect_url value from the Stytch connection object.

  6. For the purposes of this guide, you do not need to add any Sign-out redirect URIs. In the future, you can (optionally) add a URI corresponding to a page in your application that logs the user out by revoking their Stytch session.

  7. You do not need to add any Base URIs under Trusted Origins.

  8. Under Controlled access, select Allow everyone in your organization to access and Enable immediate access with Federation Broker Mode. You may change these settings later, if desired.

    Okta access type selection

  9. Click Save.

Now that you've created and configured a new Okta Application, you're ready to update the SSO Connection from Step 1 with additional data surfaced by Okta.

Step 3: Retrieve values from Okta to configure your OIDC Connection

In the General tab of your newly created Okta application, locate the following values and copy them for use in Step 4:

  • The Client ID in the Client Credentials section.
  • The Secret in the Client Secrets section.
    Client ID and secret in Okta

Next, you'll need to retrieve the issuer value that you'll use in Step 4. To do so, copy the section of your Okta Dashboard URL up until (and including)

Okta issuer value

Step 4: Call the Update OIDC Connection endpoint

In addition to the information from Okta in Step 3, you'll also need the organization_id and connection_id from Step 1.

Using those values, your call to our Update OIDC Connection endpoint should look like this:

curl --request PUT \
	--url{ORGANIZATION_ID}/connections/{CONNECTION_ID} \
	-H 'Content-Type: application/json' \
	-d '{
		"client_id": "{CLIENT_ID}",
		"client_secret": "{SECRET}",
		"issuer": "{ISSUER}"

When you provide an issuer value in an Update OIDC Connection request, Stytch will automatically infer the authorization_url, token_url, jwks_url, and userinfo_url values for your OIDC Connection (when available), and you will not need to explicitly provide them.

After a successful Update OIDC Connection call, both your Okta Application and your OIDC Connection will be fully configured.

You should now be able to complete an SSO login flow via our Start SSO login flow and Authenticate SSO login endpoints using your new Okta Connection!

What's next

Build a user interface that allows users to initiate the SSO login flow. You'll also need a page to handle the redirect back to your application at the end of the SSO flow.

Clone our B2B Next.js example app for helpful templates that can get you started quickly. Also check out our interactive B2B demo app to see the app in action.