# SSO With Okta This document details the steps to set up Okta single sign-on (SSO) to manage authentication for StrongDM. ### Requirements * OpenID Connect (OIDC) must be enabled for your account if you are using OIDC for Okta SSO integration with StrongDM. If it is not enabled, please contact Okta Support and request that they enable it. This can be completed in minutes. * You must be a StrongDM user with the Administrator Permission Level and a User with administrator rights in your Okta account. ### Supported Features If you wish to use IdP-initiated SSO, you can implement Okta SSO via the generic [SAML](/admin/principals/sso/saml.md) provider rather than via this OIDC integration. ### Steps These steps describe how to create an OIDC app using Okta's App Integration Wizard (AIW). {% hint style="info" %} These instructions vary based on your organization's StrongDM region (not your individual location). {% endhint %} {% tabs %} {% tab title="US" %} 1. Log in with Okta 2. From the Admin Console, go to **Applications** > **Applications** and click **Browse App Catalog** (if you have already added the StrongDM app through our [User & Group Provisioning guide](/admin/principals/provisioning/okta-provisioning.md) you can skip to Step 7). 3. Search for and select the "StrongDM" app, then click **Add**. 4. Enter the **Base URL** for API requests: `https://app.strongdm.com`. 5. Change the label for the app if you'd like, then click **Done.** 6. On the **Sign On** tab, click **Edit** in the upper-right, then in the **Credentials Details** section set **Application username format** to "Email" and click **Save**. 7. From the **Client Credentials** section, copy the **Client ID** and **Client secret** values. You will need these values in the next step. 8. Next, assign the app to the users or groups that you would like to be able to authenticate to StrongDM using Okta. This can be done from the **Assignments** tab of the app’s configuration settings. 9. Copy the app's Okta domain, which will be the single sign-on URL in the next step. You can find the URL in your web browser's address bar (the full URL without `-admin`). 10. Log in to the StrongDM Admin UI and go to **Settings** > **User Management**. In the **Single Sign-on** section, click the lock icon to set the following: 1. **Provider**: Select **Okta**. 2. **Single sign-on URL**: Add your Okta domain 3. **Client ID**: Paste your client ID. 4. **Client Secret**: Paste your client secret. 5. Select your desired [general SSO settings](/admin/principals/sso.md#general-sso-options) and click **activate**. 11. Confirm all of these things, and then you should be ready to enable SSO: 1. Go back to Okta and confirm Okta access. 2. Confirm that the email addresses for all users are identical in both StrongDM and in Okta. 3. Confirm that all users who you intend to grant database access have access to the StrongDM application by default. {% endtab %} {% tab title="UK" %} *Follow instructions in the tab for the region of your organization's StrongDM control plane, not your own location. The default control plane region is US.* 1. Log in to Okta. 2. From the Admin Console, go to **Applications** > **Applications** and click **Browse App Catalog** (if you have already added the StrongDM app through our [User & Group Provisioning guide](/admin/principals/provisioning/okta-provisioning.md) you can skip to Step 7). 3. Search for and select the "StrongDM" app, then click **Add**. 4. Enter the **Base URL** for API requests: `https://app.uk.strongdm.com`. 5. Change the label for the app if you'd like, then click **Done.** 6. On the **Sign On** tab, click **Edit** in the upper-right, then in the **Credentials Details** section set **Application username format** to "Email" and click **Save**. 7. From the **Client Credentials** section, copy the **Client ID** and **Client secret** values. You will need these values in the next step. 8. Next, assign the app to the users or groups that you would like to be able to authenticate to StrongDM using Okta. This can be done from the **Assignments** tab of the app’s configuration settings. 9. Copy the app's Okta domain, which will be the single sign-on URL in the next step. You can find the URL in your web browser's address bar (the full URL without `-admin`). 10. Copy the app's Okta domain, which will be the single sign-on URL in the next step. 11. Log in to the StrongDM Admin UI and go to **Settings** > **User Management**. In the **Single Sign-on** section, click the lock icon to set the following: 1. **Provider**: Select **Okta**. 2. **Single sign-on URL**: Add your Okta domain 3. **Client ID**: Paste your client ID. 4. **Client Secret**: Paste your client secret. 5. Select your desired [general SSO settings](/admin/principals/sso.md#general-sso-options) and click **activate**. 12. Confirm all of these things, and then you should be ready to enable SSO: 1. Go back to Okta and confirm Okta access. 2. Confirm that the email addresses for all users are identical in both StrongDM and in Okta. 3. Confirm that all users who you intend to grant database access have access to the StrongDM application by default. {% endtab %} {% tab title="EU" %} *Follow instructions in the tab for the region of your organization's StrongDM control plane, not your own location. The default control plane region is US.* 1. Log in to Okta. 2. From the Admin Console, go to **Applications** > **Applications** and click **Browse App Catalog** (if you have already added the StrongDM app through our [User & Group Provisioning guide](/admin/principals/provisioning/okta-provisioning.md) you can skip to Step 7). 3. Search for and select the "StrongDM" app, then click **Add**. 4. Enter the **Base URL** for API requests: `https://app.eu.strongdm.com`. 5. Change the label for the app if you'd like, then click **Done.** 6. On the **Sign On** tab, click **Edit** in the upper-right, then in the **Credentials Details** section set **Application username format** to "Email" and click **Save**. 7. From the **Client Credentials** section, copy the **Client ID** and **Client secret** values. You will need these values in the next step. 8. Next, assign the app to the users or groups that you would like to be able to authenticate to StrongDM using Okta. This can be done from the **Assignments** tab of the app’s configuration settings. 9. Copy the app's Okta domain, which will be the single sign-on URL in the next step. You can find the URL in your web browser's address bar (the full URL without `-admin`). 10. Copy the app's Okta domain, which will be the single sign-on URL in the next step. 11. Log in to the StrongDM Admin UI and go to **Settings** > **User Management**. In the **Single Sign-on** section, click the lock icon to set the following: 1. **Provider**: Select **Okta**. 2. **Single sign-on URL**: Add your Okta domain 3. **Client ID**: Paste your client ID. 4. **Client Secret**: Paste your client secret. 5. Select your desired [general SSO settings](/admin/principals/sso.md#general-sso-options) and click **activate**. 12. Confirm all of these things, and then you should be ready to enable SSO: 1. Go back to Okta and confirm Okta access. 2. Confirm that the email addresses for all users are identical in both StrongDM and in Okta. 3. Confirm that all users who you intend to grant database access have access to the StrongDM application by default. {% endtab %} {% endtabs %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.strongdm.com/admin/principals/sso/okta-oidc.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.