Okta OIDC
Overview
The Okta SSO integration with Akto provides a centralised way to authenticate users through your existing identity provider. Akto leverages OpenID Connect (OIDC) to verify user identities and apply access controls based on identity attributes and group memberships.
With this integration, authentication and authorisation can be managed directly in Okta, while Akto handles role-based access enforcement during user login.
Configure Okta Account for Akto SSO
You can set up Okta SSO along with role mapping in a unified flow that links Okta identities, group claims, and Akto’s role enforcement.
Create Okta Application for Akto
Open your Okta Admin Console and go to Applications. Click on Create App Integration.
Under Sign-in Method, select OIDC - OpenID Connect. Choose Web Application as the application type.
Provide the name
Aktoin App integration name.Add the following under Sign-in redirect URIs:
https://app.akto.io/authorization-code/callbackIf using Okta-initiated login, include this under Initiate login URI:
https://app.akto.io/okta-initiate-login?accountId=<your-akto-accountId>Assign the application to the necessary users or groups. Save the configuration.
Copy the CLIENT_ID and CLIENT_SECRET from the created application.
Replace your-akto-accountId in step 5 with your actual account ID, which you can find in Akto settings.
Configure Authorisation Server for Group Claims
Update your Okta authorisation server to include a groups claim in the access token.
If your organisation already uses Okta groups for access control, you can reuse them. Create new groups only if you need separate access definitions for Akto.
Refer to Okta documentation for guidance on group creation.
Group claims enable Akto to determine user roles based on their group memberships.
Generate Okta API Token
Navigate to:
Security → API → Tokens
Generate a new token
Assign a name to the token
Set IP restrictions to:
Any IP
Note
Providing a valid Okta API token allows Akto to automatically fetch available group names. This simplifies the mapping process and minimizes manual configuration errors.
Copy and store the generated API token.
API Access Management in Okta
It is recommended to have the API Access Management feature enabled in Okta. Without this feature, users cannot customise the access policies of authorisation server IDs.
By default, Okta provides only a single default authorisation server, which cannot be modified. Enabling API Access Management allows organisations to create and configure custom authorisation servers, giving them more control over access policies and security.
Setup Okta SSO in Akto Dashboard
Follow these steps within the Akto dashboard:
Go to Integrations → Okta SSO in the Akto dashboard.
You will see the same Setup Okta SSO in Akto Dashboard steps here as well. Click Next to continue.
Provide the following details:
Client ID: Client ID from the Okta application
Client Secret: Client secret from the Okta application
Authorisation Server ID: Identifier of the Okta authorisation server
Domain Name: Your Okta domain (e.g.,
your-org.okta.com)API Token: Generated Okta API token
Submit the configuration to activate SSO.
Configure Group-to-Role Mapping in Akto
Once SSO is enabled, define how Okta groups correspond to Akto roles.
Navigate to Group mapping & API access and click Edit.
Enter the exact Okta group name in Okta group name.
The group name must exactly match the value present in the access token or returned via the Okta API.
Select the appropriate role in Akto role, such as Admin, Security Engineer, Developer, or Guest.
Click Add to create the mapping.
Each Okta group can be linked to only one Akto role, and each role can be assigned once.
Repeat the steps for any additional group mappings.
If group claims are missing from the access token, provide the Management API token in the same section.
Save your changes.
Role Assignment During Login
During user authentication, Akto evaluates group memberships and assigns roles based on the configured mappings.
Okta groups define access levels
Akto roles control permissions within the platform
The API token supports fallback group retrieval when needed
This setup enables centralized identity management in Okta while ensuring consistent authorisation enforcement within Akto.
Last updated