> ## Documentation Index
> Fetch the complete documentation index at: https://www.truefoundry.com/llms.txt
> Use this file to discover all available pages before exploring further.

# OIDC with Okta

> Configure OpenID Connect single sign-on between TrueFoundry and Okta.

This guide walks you through setting up OpenID Connect (OIDC) single sign-on between TrueFoundry and Okta. Once finished, members of your Okta tenant can sign in to TrueFoundry through a **Login with Okta** button.

For SAML 2.0 instead of OIDC, see [SAML with Okta](/docs/platform/sso/okta/saml).

## Prerequisites

* A TrueFoundry tenant with **Admin** access to **Settings → Security & Access → SSO**.
* An Okta Workforce Identity Cloud tenant with permission to create new **Applications** (Super Admin or App Admin).
* Your Okta tenant domain — the hostname you use to reach the admin console, for example `https://acme.okta.com` or `https://acme.okta-emea.com`.

<Tip>
  The TrueFoundry OIDC callback URL is always `https://login.truefoundry.com/oauth2/callback`. Keep that value handy — you'll paste it into Okta during application setup.
</Tip>

## Configuration overview

<Steps>
  <Step title="Create an OIDC Web Application in Okta">
    Register a new OIDC – OpenID Connect application of type **Web Application**.
  </Step>

  <Step title="Collect the Client ID, Client Secret, and Issuer">
    Copy the credentials Okta generates and your Okta tenant domain.
  </Step>

  <Step title="Configure TrueFoundry">
    Paste the values into the TrueFoundry SSO form and save.
  </Step>

  <Step title="Assign users and test">
    Assign people or groups to the Okta application and sign in to verify.
  </Step>
</Steps>

## Step 1 — Create an OIDC application in Okta

<Steps>
  <Step title="Open the Okta admin console">
    Sign in to your Okta admin console (`https://<your-tenant>-admin.okta.com`) as an administrator.

    In the left navigation, expand **Applications → Applications** and click **Create App Integration**.

    <Frame caption="Expand Applications in the left nav of the Okta admin console.">
      <img src="https://mintcdn.com/truefoundry/OlEFjoHwZJ0edSjd/images/sso/okta/oidc-step-1-a.png?fit=max&auto=format&n=OlEFjoHwZJ0edSjd&q=85&s=a3fe4687644eb9208e33472725f898f7" alt="Okta admin console dashboard with the Applications section highlighted in the left navigation" width="1500" height="938" data-path="images/sso/okta/oidc-step-1-a.png" />
    </Frame>

    <Frame caption="Click Create App Integration on the Applications page.">
      <img src="https://mintcdn.com/truefoundry/OlEFjoHwZJ0edSjd/images/sso/okta/oidc-step-1-b.png?fit=max&auto=format&n=OlEFjoHwZJ0edSjd&q=85&s=d7aad642ecb65233f4d5f8b5c1afb326" alt="Okta Applications listing with the Create App Integration button highlighted" width="1500" height="938" data-path="images/sso/okta/oidc-step-1-b.png" />
    </Frame>
  </Step>

  <Step title="Pick OIDC – Web Application">
    In the **Create a new app integration** dialog:

    * **Sign-in method**: choose **OIDC – OpenID Connect**.
    * **Application type**: choose **Web Application**.

    Click **Next**.

    <Frame caption="Select OIDC – OpenID Connect and Web Application in the Create a new app integration dialog.">
      <img src="https://mintcdn.com/truefoundry/OlEFjoHwZJ0edSjd/images/sso/okta/oidc-step-1-c.png?fit=max&auto=format&n=OlEFjoHwZJ0edSjd&q=85&s=ee3f6f0fd58661e2851913f583d29626" alt="Okta Create a new app integration dialog with OIDC – OpenID Connect and Web Application selected" width="1500" height="938" data-path="images/sso/okta/oidc-step-1-c.png" />
    </Frame>
  </Step>

  <Step title="Configure the integration">
    On the **New Web App Integration** page:

    * **App integration name**: a label such as `TrueFoundry`.

    * **Grant type**: ensure **Authorization Code** is checked. Leave the other grant types unchecked unless you have a specific reason.

    * **Sign-in redirect URIs**: click **Add URI** and enter:

      ```
      https://login.truefoundry.com/oauth2/callback
      ```

    * **Sign-out redirect URIs**: leave blank (or set it to your TrueFoundry login URL if you want a custom post-logout redirect).

    * **Assignments**: choose **Skip group assignment for now** — you'll assign users in Step 4.

    Click **Save**.

    <Frame caption="Set the app integration name and confirm Authorization Code is the only checked grant type.">
      <img src="https://mintcdn.com/truefoundry/OlEFjoHwZJ0edSjd/images/sso/okta/oidc-step-2-a.png?fit=max&auto=format&n=OlEFjoHwZJ0edSjd&q=85&s=77fa47428b3ca59028bfc89ce5e3f52d" alt="Okta New Web App Integration page with the App integration name field highlighted" width="1500" height="938" data-path="images/sso/okta/oidc-step-2-a.png" />
    </Frame>

    <Frame caption="Click Add URI under Sign-in redirect URIs and paste the TrueFoundry callback URL.">
      <img src="https://mintcdn.com/truefoundry/OlEFjoHwZJ0edSjd/images/sso/okta/oidc-step-2-b.png?fit=max&auto=format&n=OlEFjoHwZJ0edSjd&q=85&s=6b8fc2e3a7996b4b36c38c00b923a090" alt="Okta New Web App Integration page with the Sign-in redirect URIs section highlighted" width="1500" height="938" data-path="images/sso/okta/oidc-step-2-b.png" />
    </Frame>
  </Step>
</Steps>

## Step 2 — Collect the credentials

After saving, Okta opens the application's **General** tab.

<Steps>
  <Step title="Copy the Client ID and Client Secret">
    Under **Client Credentials**, copy:

    * **Client ID**
    * **Client secret** — click **Show** if it isn't already visible.

    Store both values somewhere safe; you'll paste them into TrueFoundry in Step 3.

    <Frame caption="Copy the Client ID and Client secret from the General tab. Your Okta tenant domain appears in the user dropdown at the top right.">
      <img src="https://mintcdn.com/truefoundry/OlEFjoHwZJ0edSjd/images/sso/okta/oidc-step-3-a.png?fit=max&auto=format&n=OlEFjoHwZJ0edSjd&q=85&s=6a6a47202279ddf1d91e300374b0ecb8" alt="Okta OIDC application General tab showing the Client ID, Client Secrets section, and the Okta tenant domain in the user dropdown" width="1500" height="938" data-path="images/sso/okta/oidc-step-3-a.png" />
    </Frame>
  </Step>

  <Step title="Confirm the Issuer URL">
    Open the **Sign On** tab and find the **OpenID Connect ID Token** card. Make sure **Issuer** is set to **Okta URL**, which produces an issuer of the form:

    ```
    https://<your-tenant>.okta.com
    ```

    If the dropdown is currently set to **Dynamic**, change it to **Okta URL** and click **Save**.

    <Note>
      Your tenant domain is the hostname you use to sign in to the Okta dashboard. For European tenants this is usually `https://<your-tenant>.okta-emea.com`; for preview tenants it's `https://<your-tenant>.oktapreview.com`. Use whichever matches your environment.
    </Note>
  </Step>
</Steps>

## Step 3 — Configure TrueFoundry

<Steps>
  <Step title="Open SSO settings">
    In TrueFoundry, go to **Settings → Security & Access → SSO**.

    Click the **+** icon labeled **Add New SSO Config**.

    <Frame caption="SSO page in TrueFoundry — click the + icon to add a new SSO configuration">
      <img src="https://mintcdn.com/truefoundry/OlEFjoHwZJ0edSjd/images/sso/entra/saml-truefoundry-add-sso-config.png?fit=max&auto=format&n=OlEFjoHwZJ0edSjd&q=85&s=f768205b84d9f33ce04a8b8576ab0070" alt="TrueFoundry SSO settings page with the Add New SSO Config plus button highlighted" width="1024" height="263" data-path="images/sso/entra/saml-truefoundry-add-sso-config.png" />
    </Frame>
  </Step>

  <Step title="Fill in the SSO form">
    * **Enabled**: turn this on.

    * **Name**: a lowercase alphanumeric label — for example, `oktaoidc`.

    * **SSO Provider**: select **Okta**.

    * **Authentication Configuration**: choose **OIDC**.

    * **Client ID**: the **Client ID** from Okta.

    * **Client Secret**: the **Client secret** from Okta.

    * **Discover endpoints**: leave enabled.

    * **Issuer URL**: your Okta tenant URL — for example:

      ```
      https://<your-tenant>.okta.com
      ```

    * **Scopes** *(optional)*: leave blank to use the default `openid email`. Add `profile` if you want first and last name in the token.
  </Step>

  <Step title="Save">
    Click **Save**. TrueFoundry validates the issuer URL by fetching `/.well-known/openid-configuration` from it and stores the credentials.
  </Step>
</Steps>

## Step 4 — Assign users in Okta

Okta only lets users sign in to applications they've been explicitly assigned to.

<Steps>
  <Step title="Open Assignments">
    Inside your Okta application, click the **Assignments** tab and open the **Assign** dropdown.
  </Step>

  <Step title="Pick people or groups">
    Choose **Assign to People** or **Assign to Groups**, select the users or groups that should have TrueFoundry access, and click **Assign** for each. When you're done, click **Done**.

    <Tip>
      You can also assign from **Directory → People**: click a user, open **Assign Applications**, and pick the TrueFoundry app.
    </Tip>
  </Step>
</Steps>

<Warning>
  Users who are not assigned to the Okta application will see an "app not assigned to user" error when they click **Login with Okta** in TrueFoundry.
</Warning>

## Step 5 — Test single sign-on

1. Open a private/incognito window and visit your TrueFoundry login page.
2. Click **Login with Okta**.
3. Authenticate with an assigned Okta user.

You should land in the TrueFoundry dashboard. New users are created automatically if [JIT provisioning](/docs/platform/user-management#user-provisioning) is enabled.

## Optional next steps

* **Sync users and groups automatically** — see [SCIM with Okta](/docs/platform/sso/okta/scim).
* **Use SAML instead** — see [SAML with Okta](/docs/platform/sso/okta/saml).

## Troubleshooting

<AccordionGroup>
  <Accordion title="'Invalid issuer' or 'Discovery endpoint not found' when saving">
    The **Issuer URL** doesn't host an OpenID discovery document. Confirm the value is exactly your Okta tenant URL (for example `https://acme.okta.com`) with no trailing slash and no `/oauth2/default` suffix. You can test it directly by visiting `<issuer>/.well-known/openid-configuration` in your browser.
  </Accordion>

  <Accordion title="'Invalid client secret' or 'unauthorized_client'">
    The client secret in TrueFoundry doesn't match Okta. Regenerate the secret on the Okta application's **General → Client Credentials** card, copy the new value, and paste it into TrueFoundry's **Client Secret** field.
  </Accordion>

  <Accordion title="Sign-in works but the user's email is empty">
    Make sure your TrueFoundry **Scopes** include `email`, and (if you want first/last name) `profile`. If you renamed claims on the Okta side, expand **Show advanced fields** in TrueFoundry and set the **Email Claim** to the claim name Okta is emitting.
  </Accordion>

  <Accordion title="'You are not assigned to the client application'">
    The Okta user isn't assigned to your application. Go back to **Step 4** and assign them under the **Assignments** tab — either directly as a person or by adding them to an assigned group.
  </Accordion>
</AccordionGroup>
