# Okta (OIDC)

## Prerequisites

<details>

<summary>Permissions required for registering and configuring an app in Okta</summary>

The Okta account must have permission to manage applications in Okta. Ideally the Okta account should be in the Super administrator role.

</details>

## Implement Single Sign-On (SSO)

It is recommended to use two separate browser tabs for the Keycloak (K) and Okta (O) portals to make it easier to apply the settings.

1. (K) Open a new tab in your browser and login to the target Spark tenant. Access the *Keycloak console* from the [Navigation menu](/navigation/navigation-menu.md#user-menu).
2. (K) Login to the Keycloak Admin Console using your admin credentials.
3. (K) Expand the *Add provider* dropdown and choose *OpenID Connect v1.0*.
4. (K) Fill in values for the *Alias* and *Display Name* fields. The *Alias* should be a lowercase name without special symbols. Please note this *Display Name* will appear in the button on the Spark login page.
5. (K) Enter any name in the *Display Name* field. Please note this *Display Name* will appear in the button on the Spark login page.
6. (K) Copy the *Redirect URI* value.
7. (O) In a second browser tab, sign in to Okta.
8. (O) In the left tab, expand *Applications* and click on *Applications*.
9. (O) Click *Create App Integration*.
10. (O) For *Sign-in method* choose *OIDC - OpenID Connect* and for *Application type* choose *Web Application*. Click **Next**.
11. (O) Enter a name in the *App integration name* field.
12. (O) For *Grant type* select *Authorization Code*.
13. (O) In the *Sign-in redirect URIs* field, paste the modified Redirect UR&#x49;*.*
14. (O) For *Controlled access*, select *Allow everyone in your organization to access*. Check *Enable immediate access with Federation Broker Mode* then click **Save**.
15. (O) Copy the *Client ID* value.
16. (K) Return to Keycloak. In the *Client ID* field, paste the value copied in the previous step.
17. (O) Switch to Okta. Copy the the *Client Secret.*
18. (K) Return to Keycloak. In the *Client Secret* field, paste the value copied in the previous step.
19. (O) Switch to Okta. Expand *Security* on the left pane and click on *API*.
20. (O) Click on the name of your authorization to bring up the settings page.
21. (O) Copy the *Metadata URI*.
22. (K) Return to Keycloak. In the *Discovery endpoint* field, paste the value copied in the previous step.
23. (K) Click **Add**.
24. (K) Expand *Advanced*.
25. (K) For the *Scopes* field, enter `openid email profile` and click **Save.**
26. (O) Okta Authorization Servers require an Access Policy to define which clients (applications) that can request tokens under what conditions. If there is no default Access Policy that applies to all applications, then you must create one for your Okta OIDC app to ensure it can receive tokens.
    1. (O) In the left pane, expand Security, then select **API**.
    2. (O) Navigate to the *Authorization Servers* tab and click on the name of your Authorization Server.
    3. (O) Open the *Access Policies* tab.
    4. (O) Click **Add New Access Policy**.
    5. (O) Provide a name and description. In the *Assign* to section, select *The following clients*, enter the first three letters of your Okta OIDC App, select your app, and click **Create Policy**.
    6. (O) Click **Add Rule**.
    7. (O) Enter a name and uncheck *Client Credentials* and *Device Authorization*. Leave other settings as default unless your organization requires different values, then click **Create Rule**.
27. Navigate to your Spark tenant and sign in using the newly created provider. There will be a button on the Keycloak login page with the display name defined earlier.

## Configure Okta groups to Spark user groups

{% hint style="info" %}
Do not configure a mapper for the `user:pf` group. This is the default minimal Spark group that users must belong to in order to sign in to Spark. Configuring a mapper for this group unnecessarily duplicates sign-in permission management already controlled by your Identity Provider.
{% endhint %}

It is recommended to use two separate browser tabs for the Keycloak (K) and Okta (O) portals to make it easier to apply the settings. In this guide, we will setup the automatic roles for the `tenant-admin` role.

1. (O) In the first tab sign in to Okta.
2. (O) Expand *Directory* and click on *Groups*.
3. (O) Create a group and prefix it with spark (or any preferred prefix), for example `spark-tenant-admin`.
4. (O) Add the test user to the group.
5. (O) On the left pane, expand *Security* and click on *API*.
6. (O) Make sure *Authorization Servers* tab is selected and click on the name of the server.
7. (O) Select Claims and then click **Add Claim**.
8. (O) Provide the following values then click **Create**.

   | Key                     | Value                  |
   | ----------------------- | ---------------------- |
   | *Name*                  | `groups`               |
   | *Include in token type* | `ID token and Always`  |
   | *Value Type*            | `Groups`               |
   | *Filter*                | `Matches regex and .*` |
   | *Include in*            | `Any scopes`           |
9. (K) Open a new tab in your browser and login to the target Spark tenant. Access the *Keycloak console* from the [Navigation menu](/navigation/navigation-menu.md#user-menu).
10. (K) Login to the Keycloak Admin Console using your admin credentials.
11. (K) Select *Identity Providers* from the left pane and then the identity provider you configured in the previous section.
12. (K) Select the *Mappers* tab and then **Add mapper**.
13. (K) Provide the following values.

    | Name                 | Value                     |
    | -------------------- | ------------------------- |
    | *Name*               | `tenant-admin`            |
    | *Sync mode override* | `force`                   |
    | *Mapper type*        | `Advanced Claim to Group` |
14. (K) Click *Add Claims*.
15. (K) Provide the following values:

    | Key      | Value          |
    | -------- | -------------- |
    | `groups` | `tenant-admin` |
16. (K) Leave *Regex Claim Values* as *Off* (which is the default).
17. (K) Click *Select Group,* choose `tenant-admin` , then click **Select**.
18. (K) Click **Save**.
19. Sign in into Coherent Spark with your test account. Click on your initials and hover over the groups icon to confirm your membership in `tenant-admin`.
20. We highly recommend creating at least a few additional app groups relevant for [Private tenant](https://docs.coherent.global/tenant-administration/private-tenant)s:
    * Group for `supervisor:pf` user accounts. In Spark, `supervisor:pf` members can manage permissions across all folders.
    * Groups for "standard" user accounts, e.g. `user:teamA`, `user:teamB`. These groups can be assigned to the users in your organization not responsible for tenant administration. Creating multiple roles for "standard" user accounts can be useful to separate access between teams.

## Create a bookmark application for Coherent Spark

See [Okta My Apps Dashboard](/identity-and-access-management/single-sign-on/okta-my-apps-dashboard.md).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.coherent.global/identity-and-access-management/single-sign-on/okta-oidc.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.