Okta
To configure Appsmith to use Okta as an OIDC provider, follow the steps below:
Prerequisites
-
A self-hosted Appsmith instance. See the installation guides for installing Appsmith.
-
Before setting up Single Sign-On (SSO), ensure that you have already configured a custom domain for your instance.
-
In Appsmith, go to Admin Settings > Authentication and click Enable on OIDC.
-
Copy the Redirect URL from the OIDC configuration page to add it when creating the application in Okta.
Create application on Okta
-
Log in to your Okta account and click Admin from the top right corner.
-
On the Get started with Okta page, click Add App for Use single sign on.
-
On the Browse App Integration Catalog page, click Create New App.
-
A pop-up titled Create a new app integration appears. Choose OIDC - OpenID Connect as the Sign-in method and select Application type as Web Application.
-
On the New Web App Integration page, go to the general settings:
a. Add a name for your app in the App integration name field.
b. Select Authorization Code and Refresh Token from the options in the Grant type section.
c. Add the Redirect URL copied from the OIDC configurations in Appsmith in the Sign-in redirect URIs field.
d. Scroll down to the Assignments section and pick an option from Controlled access configure the Accessibility of this application as required.
e. Click Save.
-
On your new application, go to the General tab, and copy the Client ID and Client Secret to add them later in the OIDC configurations in Appsmith.
-
Open your account dropdown from the navigation bar, and copy your Okta domain that is mentioned below your Email.
-
Add
/.well-known/openid-configuration
at the end of your Okta domain, and open the<your-okta-domain>/.well-known/openid-configuration
URL in your browser and copy the following URLs from that page:
-
authorization_endpoint
-
token_endpoint
-
userinfo_endpoint
-
jwks_uri
Register Okta in Appsmith
To complete the OIDC configuration, you have to register the identity provider on Appsmith. Go to Admin Settings > Authentication > OIDC, and follow the steps below:
-
Add the Client ID and Client Secret copied from the Okta application into the respective fields.
-
Add the URLs copied from the
<your-okta-domain>/.well-known/openid-configuration
page into OIDC configurations in Appsmith as per the table below:
OIDC configuration field | Okta URL |
---|---|
Authorization URL | authorization_endpoint |
Token URL | token_endpoint |
User Info URL | userinfo_endpoint |
JWK Set URL | jwks_uri |
- In the Scope box, specify the scopes to be used by the application during authentication to authorize access to a user's details. By default, there are three scopes -
openid
,email
, andprofile
.
Appsmith needs openid
and email
as mandatory scopes. It’s also highly recommended to use the offline_access
scope to avoid errors related to expired access tokens and excessive re-login requests. For more information, see Okta API scopes.
- In the Username Attribute box, specify the name of the claim which represents the email of the user. The default value is
email
.
Once you have added the details, click the SAVE & RESTART button to save the configuration and restart the instance.
After the Appsmith instance restarts, try logging in again to your account. You'll see a login screen with the SIGN IN WITH OIDC SSO button.