Documentation

SSO: OIDC with Okta

This guide walks you through the steps to configure Single Sign-on using OIDC with Okta.

Suggest Edits

Prerequisites

Before you begin, ensure you have admin access to your Okta dashboard.

Step 1: Set Up an Okta Application for Control D

Note: If you intend to use specific ControlD.* groups (e.g., ControlD.Admin, ControlD.Owner, ControlD.Viewer) for role-based access, create these groups first as outlined in Step 4.

  1. Log in to your Okta Admin Dashboard.

  2. Navigate to Applications and click Create App Integration.

  3. Select OIDC - OpenID Connect as the sign-in method and choose Web Application as the application type. Click Next.

  4. Fill in the application details:

    FieldData
    App Integration NameControl D
    Logo (Optional)
    Sign-in redirect URIshttps://controld.com/sso/callback?provider=okta
    Sign-out redirect URIsDelete all entries

  5. Under Assignments, you can assign people or groups to the application, or select Skip group assignment for now if you wish to assign them later.
    If you plan to use role-based groups, assign the ControlD.* groups (ControlD.Admin, ControlD.Owner, ControlD.Viewer) created earlier.
    By default, users assigned to the application in Okta will be given the Viewer permission.

  6. Ensure the Grant Type is set to Authorization Code.

  7. Click Save to create the application.

Step 2: Configure the Okta Application for Control D

  1. Open the newly created Control D application in Okta.

  2. Go to the General Settings tab and note down the Client ID and Client Secret.

  3. Go to the Sign On tab and ensure the OpenID Connect ID Token option is enabled.

  4. Under Groups Claim, set Groups claim type to Filter and choose Starts With. Enter ControlD to include groups such as ControlD.Admin, ControlD.Owner, and ControlD.Viewer.

Step 3: Assign User Groups in Okta

🚧

A feature to support custom group mappings is under way!

Note: If you have already created the ControlD.* groups, you can skip creating new groups and proceed to assign users to the appropriate permissions.

  1. Go to Directory > Groups in Okta.

  2. Create three groups for Control D access (if not already created):

    • ControlD.Admin
    • ControlD.Owner
    • ControlD.Viewer

  3. Assign users to these groups based on their roles and responsibilities within Control D.

❗️

Learn about the different roles and permission levels here: https://docs.controld.com/docs/org-members-permissions#permission-levels

Step 4: Add SSO Configuration in Control D

  1. Log in to the Control D.

  2. Navigate to My Organization, scroll to SSO Provider, and click the toggle to enable.

  3. Fill in the required fields:

    • Okta Domain: <your-subdomain>.okta.com
    • Client ID: The value you copied from the Okta application.
    • Client Secret: The value you copied from the Okta application.
    • Email Domains: Enter the domains associated with your organization, e.g., example.com. This is necessary to map email domains to your Control D customer account so that login attempts are redirected to the correct Okta authentication server.

  4. Click Save to enable Okta SSO for your organization.

Step 5: Test SSO Login

  1. Log out of Control D and navigate to the login page.
  2. Enter your Okta email address, leaving the password blank.
  3. Click the Log in with Okta button.
  4. Enter your Okta credentials and confirm successful login.
  5. Verify role-based access permissions by testing users in the ControlD.Admin, ControlD.Owner, and ControlD.Viewer groups.

Troubleshooting

If you encounter any issues:

  1. Verify the redirect URIs in your Okta application settings.
  2. Ensure the user groups are correctly assigned in Okta.
  3. Check the SSO configuration in the Control D Admin Panel for typos or missing fields.
  4. Refer to the Okta logs for debugging SSO errors.

For additional support, contact Control D Support.

Updated 4 days ago