--- title: Okta as RP (OIDC) description: "Estimated time to complete: 20 minutes" component: pingoneaic page_id: pingoneaic:use-cases:use-case-sso-oidc-sp-okta canonical_url: https://docs.pingidentity.com/pingoneaic/use-cases/use-case-sso-oidc-sp-okta.html keywords: ["Use Case", "OpenID Connect"] page_aliases: ["implementation:use-case-idc-as-idp-oidc.adoc"] section_ids: oidc-idp-description: Description oidc-idp-goals: Goals oidc-idp-prerequisites: Prerequisites oidc-idp-tasks: Tasks oidc-idp-web-app: "Task 1: Create a custom OIDC application in Advanced Identity Cloud" oidc-idp-okta-idp: "Task 2: Add Advanced Identity Cloud as an IDP in Okta" oidc-idp-validation: Validation validate_your_work_with_an_identity_that_exists_in_advanced_identity_cloud_and_okta: Validate your work with an identity that exists in Advanced Identity Cloud and Okta validate_your_work_with_an_identity_that_exists_in_advanced_identity_cloud_but_not_in_okta: Validate your work with an identity that exists in Advanced Identity Cloud but not in Okta oidc-idp-explore-further: Explore further oidc-idp-reference: Reference material --- # Okta as RP (OIDC) ## Description Estimated time to complete: 20 minutes *(tooltip: This assumes you complete the prerequisites beforehand.)* In this use case, configure SSO using OIDC with Advanced Identity Cloud as the identity provider (IDP) and Okta as the service provider (SP). ## Goals After completing this use case, you will know how to do the following: * Configure Advanced Identity Cloud as an OIDC identity provider * Configure Okta as a remote SP * Use the hosted account pages application dashboard to federate to Okta ## Prerequisites Before you start, make sure you have the following: * A basic understanding of: * The Advanced Identity Cloud admin console and hosted pages * SSO (Federation) * OIDC * Completed the use case [Create test users and roles](use-case-test-users-and-roles.html) * Access to your test Advanced Identity Cloud environment as an administrator * Access to an Okta development environment as an administrator ## Tasks | | | | - | -------------------------------------------------------------------------------------------------------------- | | | This use case requires the use of third-party services. Use your environment-specific details where necessary. | ### Task 1: Create a custom OIDC application in Advanced Identity Cloud 1. Sign on to the Advanced Identity Cloud admin console. 2. In the Advanced Identity Cloud admin console, go to [icon: apps, set=material, size=inline] Applications > [icon: add, set=material, size=inline] Custom Application > OIDC - OpenId Connect > Web. 3. On the Application Details page, add a web application with the following configuration, and then click Next: | Field | Value | | ------------ | ------------------------------------------------------------------------------------ | | Name | `okta_client` | | Description | `Okta client` | | Owners | `App Owner` | | App Logo URI | `https://www.okta.com/sites/default/files/Okta_Logo_BrightBlue_Medium-thumbnail.png` | 4. On the Web Settings page, add the following configuration, and then click Create Application: | Field | Value | | ------------- | --------------------------------------------------------------------------------------------- | | Client ID | `okta_client` | | Client Secret | Enter a password for the client. Remember the password because you need it to configure Okta. | The Okta client page is displayed. 5. On the Okta client page, go to the Sign On tab, add the following configuration, and then click Save: | Field | Value | | ------------ | ------------------------------------------------------------- | | Sign-in URLs | `https:///oauth2/v1/authorize/callback` | | Grant Types | `Authorization Code` | | Scopes | `openid`, `profile`, `email` | 6. At the end of the General Settings panel, click Show advanced settings, and then Authentication. 7. Set Token Endpoint Authentication Method to `client_secret_post` and click Save. The configuration should resemble the following examples: ![Add Okta client](_images/use-case-oidc-idp/oidc-client1.png)![Add Okta client](_images/use-case-oidc-idp/oidc-client2.png)![Add Okta client](_images/use-case-oidc-idp/oidc-client3.png) | | | | - | -------------------------------------------------------------------------------------------------------------------------------- | | | To require Advanced Identity Cloud to ask for consent to share information during authorization flows, deselect Implied Consent. | ### Task 2: Add Advanced Identity Cloud as an IDP in Okta Refer to Okta's documentation on how to [Create an app at the Identity Provider](https://developer.okta.com/docs/guides/add-an-external-idp/openidconnect/main/#create-an-app-at-the-identity-provider). 1. Sign on to the administrator interface for your Okta tenant and go to the Dashboard. 2. On the Okta Admin Console, click Directory > People > Add person and create a user with the same configuration as a user in Advanced Identity Cloud. This example uses the following user: | Field | Value | | ---------------------------------------- | ------------------------ | | Username | `acruse` | | First Name | `alex` | | Last Name | `cruse` | | Email Address | `alex.cruse@example.com` | | I will set password | Enable | | Password | `Secret12!` | | User must change password on first login | Disable | 3. Select Security > Identity Providers > Add identity providers and add an OpenID Connect IdP provider. 4. On the Configure OpenID Connect IdP page, add the following configuration, and then click Finish. Leave other fields with the default values: | Field | Value | | ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | | Name | `ForgeRock` | | IdP Usage | `SSO only` | | Scopes | `email`, `openid`, `profile` | | Client ID | `okta_client` | | Authentication type | `Client secret` | | Client Secret | The password created for `okta_client` in [Task 1: Create a custom OIDC application in Advanced Identity Cloud](#oidc-idp-web-app) | | Issuer | `https://:443/am/oauth2/alpha` The port number is required for this property. | | Authorization endpoint | `https:///am/oauth2/alpha/authorize` | | Token endpoint | `https:///am/oauth2/alpha/access_token` | | JWKS endpoint | `https:///am/oauth2/alpha/connect/jwk_uri` | | Userinfo endpoint | `https:///am/oauth2/alpha/userinfo` | | If no match is found | `Create new user (JIT)` | | Profile Source | `Update attributes for existing users` | The ForgeRock identity provider page is displayed. 5. (Optional) Select Edit profile and mappings to change the mapping of attributes from Advanced Identity Cloud to Okta. 6. Enable the ForgeRock identity provider: 1. On the Okta Admin Console, go to Security > Identity Providers. 2. On the Routing Rules tab, click Add Routing Rule to redirect requests that meet defined criteria for authentication with Advanced Identity Cloud. The following rule redirects all requests from the `example.com` domain: | Field | Value | | ------------------------------- | ----------------------------------- | | Rule Name | `PingOne Advanced Identity Cloud` | | IF User's IP is | `Anywhere` | | AND User's device platform is | `Any device` | | AND User is accessing | `Any application` | | AND User matches | `Domain list on login``example.com` | | THEN Use this identity provider | `ForgeRock` | For other options, learn more in [Okta's documentation](https://help.okta.com/en-us/content/topics/security/configure-routing-rules.htm). 3. At the Activate Rule prompt, activate the rule immediately. ![Routing rule](_images/use-case-oidc-idp/routing-rule.png)Check in At this point, you: [icon: check, set=fa]Created and configured a custom OIDC application in Advanced Identity Cloud for SSO with Okta [icon: check, set=fa]Configured Okta to redirect requests to Advanced Identity Cloud for authentication. After successful authentication, return the request to Okta. ## Validation Now that you have created and configured a custom OIDC application and configured Okta as the SP, validate the configurations by: * Logging in to Okta as an end user * Authenticating to Advanced Identity Cloud after redirection ### Validate your work with an identity that exists in Advanced Identity Cloud and Okta 1. In your browser's privacy or incognito mode, go to your Okta tenant. 2. Log in as the user you created in Okta. For example, log in as username `alex.cruse@example.com`. Because the username matches the routing rule created in [Task 2: Add Advanced Identity Cloud as an IDP in Okta](#oidc-idp-okta-idp), Okta redirects the request to Advanced Identity Cloud for authentication. If something is wrong, the authorization response contains error information to help you resolve the issue. 3. Log in to Advanced Identity Cloud as the identity you created in [Create test users and roles](use-case-test-users-and-roles.html). This example logs in as username `acruse` password `Secret12!`. If you deselected Implied Consent in [Create a custom OIDC application in Advanced Identity Cloud](#oidc-idp-okta-idp), you are prompted for consent: ![Add new role](_images/use-case-oidc-idp/consent.png) 4. Click Allow to give Advanced Identity Cloud consent to access Okta resources. After consenting, you are signed on to Okta. ![Success](_images/use-case-oidc-idp/success-alex.png) ### Validate your work with an identity that exists in Advanced Identity Cloud but not in Okta 1. In a separate incognito browser, return to your Okta tenant. 2. In the Okta sign-on window, enter the email of a user that exists in Advanced Identity Cloud but not in Okta. For example, enter username `bina.raman@example.com` created in [Create test users and roles](use-case-test-users-and-roles.html). Okta redirects the request to Advanced Identity Cloud for authentication. 3. Log in to Advanced Identity Cloud as a user. For example, log in as username `braman` password `Secret12!`. After successful authentication, the Okta JIT provisions the user `braman` based on information in the response and logs them in to Okta. 4. On the Okta Admin Console, click Directory > People and see that `braman@example.com` has been provisioned automatically. ## Explore further ### Reference material | **Reference** | **Description** | | --------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------- | | [Add users manually](https://help.okta.com/en-us/content/topics/users-groups-profiles/usgp-add-users.htm) | In Okta, manually add users, assign them to apps and groups, and manage their profile. | | [Create an app at the Identity Provider](https://developer.okta.com/docs/guides/add-an-external-idp/openidconnect/main/#create-an-app-at-the-identity-provider) | In Okta, create a client application to use for authenticating and authorizing users.link: | | [Configure identity provider routing rules](https://help.okta.com/en-us/content/topics/security/configure-routing-rules.htm) | In Okta, configure routing rules for each of your Identity Providers or for different combinations of user criteria. | | [Application management](../app-management/applications.html) | Set up and manage applications that work with Advanced Identity Cloud. |