# Single Sign-On with Okta (OIDC)

This guide covers adding an Okta app integration to enable single sign-on (SSO) using OpenID Connect (OIDC) for Veza, and managing teams and roles within your identity provider.

To enable SSO, you need access to the Okta admin portal and the `administrator` role in Veza.

### Step 1: Create an Okta app integration

Log in to your Okta administration portal (for example, `https://oktadomain-admin.okta.com`).

Open *Applications* > *Applications* and click *Create App Integration*.

![Creating an app](/files/ES5NK9rK2J2eMZnftQUI)

Select *OIDC* for the *Sign-in method*, choose *Web Application* for the *Application type*, and then click *Next*:

![Selecting OIDC and Web Application](/files/3zsBmzrSK4sK8PIZYFMq)

Give the app a name and click *Next*:

![Naming the app](/files/NoWR81PZ3jTbzEpQFscN)

### Step 2: Configure the Sign-in redirect URIs

To configure *Sign-in redirect*, retrieve the Veza **Redirect URL** and **Logout URL** by navigating to the *Administration* cog icon (at the bottom of the navigation sidebar) > *Sign-in Settings*, clicking *Configure* under *Enable OpenID Connect*, and copying the values at the top of the dialog box.

In the Okta App:

1. Enter the **Redirect URL** in the **Sign-in redirect URIs** section
2. Enter the **Logout URL** in the **Logout redirect URIs** section

![Configuring the app](/files/bkE52KfbfSpMgGcs82r1)

### Step 3 (Optional): Configure RP Initiated Logout / Single Logout (SLO)

RP Initiated Logout allows the relying party (Veza) to initiate the logout process. When enabled, logging out from Veza automatically logs the user out from Okta as well.

To enable RP Initiated Logout in Veza:

1. Navigate to *Administration* > *Sign-in Settings* and click *Configure* under *Enable OpenID Connect*
2. Toggle **Enable RP Initiated Logout** to enabled
3. Copy the displayed **Single logout URL**

![RP Initiated Logout option in Veza](/files/EAxDdMyxazevwkvbEQy6)

In the Okta App **Logout** section:

1. Select the **User logs out of other logout-initiating apps or Okta** checkbox
2. Select the **Include user session details** checkbox

![Configuring Single logout (SLO)](/files/ALLit0H5kMgQ85EAuKUh)

### Step 4: Save the Okta app configuration

Click *Save* to apply the Okta app configuration. Leave the tab open.

![Save Okta App configuration](/files/bYA4yUFvHpkwfWQ5fgXg)

### Step 5: Configure and enable Veza single sign-on

1. In Okta copy the Client ID from the *Client Credentials* section
2. In Veza navigate to *Administration* > *Sign-in Settings* and click *Configure* under *Enable OpenID Connect*
3. Enter the **Idp Issuer URL** (e.g. <https://oktadomain.okta.com>)
4. Paste the **Client ID** from Okta into the **Client ID** field
5. Select *Private Key JWT* as the *Auth Method*
6. Copy the **Public Keys URL** shown below
7. In Okta click *Edit* on the *Client Credentials* section
8. Select **Public key / Private key** as the *Client authentication* method
9. Enable the **Require PKCE as additional verification** checkbox
10. Paste the **Public Keys URL** from Veza into the **Url** field under the *Public Keys* section
11. Click *Save* to save the configuration in Okta
12. Add optional [role mappings](/4yItIzMvkpAvMVFAamTf/administration/administration/sign-in-settings/sso-feature-role-mapping.md) to assign users to Veza teams and roles based on Okta group assignments.
13. Click *Confirm* to finalize the configuration in Veza

![Finalize Okta App Configuration](/files/q9vIp4ZRWG2MJYAcfl7Z)

### Step 6: Save and enable the connection

Click *Save* on the configuration page to return to *Sign-in Settings*, then toggle *Enable OpenID Connect* to enable SSO. Users will now see a *Login with SSO* option, which redirects to Okta for authentication.

![Enabling Veza SSO](/files/AGIIniVNTh2QbjXXOI5s)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/administration/administration/sign-in-settings/oidc/oidc-okta.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.