Okta

info

Please reach out to sales for SSO access.

This article briefs about the steps to configure Okta as Identity service provider for NocoDB

NocoDB, Retrieve Redirect URL

1. Go to Account Settings
2. Select Authentication (SSO)
3. Click on New Provider button
4. On the Popup modal, Specify a Display name for the provider; note that, this name will be used to display the provider on the login page
5. Retrieve Redirect URL; this information will be required to be configured later with the Identity Provider

Okta, Configure NocoDB as an Application

1. Sign in to your Okta account and navigate to the "Get started with Okta" page.
   • Click on Add App for the Single Sign-On option.
   • On the Browse App Integration Catalog page, select Create New App
2. In the pop-up with title Create a new app integration
   • Choose OIDC - OpenID Connect as the Sign-in method
   • Choose Web Application as the Application type
3. Go to General Settings on the New Web App Integration page
   • Provide your application's name.
   • From the Options in the Grant type allowed section, select Authorization Code and Refresh Token
   • Add the Redirect URL under Sign-in redirect URIs.
   • From the Assignments section, select an option from Controlled access to set up the desired accessibility configuration for this application.
   • Save
4. On your new application,
   • Go to the General tab
   • Copy the Client ID and Client Secret from the Client Credentials section.
5. From Account dropdown in navigation bar
   • Copy Okta Domain
6. Append "./well-known/openid-configuration" to the Okta Domain URL & access it
   • Example: https://dev-123456.okta.com/.well-known/openid-configuration
   • Copy authorization_endpoint, token_endpoint, userinfo_endpoint & jwks_uri from the JSON response

NocoDB, Configure Okta as an Identity Provider

In NocoDB, open Account Settings > Authentication > OIDC. On the "Register OIDC Identity Provider" modal, insert the following information:

• Insert Client ID retrieved in step (6) above as Client ID
• Insert Client Secret retrieved in step (6) above as Client Secret
• Insert authorization_endpoint retrieved in step (8) above as Authorization URL
• Insert token_endpoint retrieved in step (8) above as Token URL
• Insert userinfo_endpoint retrieved in step (8) above as Userinfo URL
• Insert jwks_uri retrieved in step (8) above as JWK Set URL
• Set Scope as openid profile email offline_access
• In the Username Attribute field, indicate the name of the claim that represents the user's email. The default value is set to "email."

For Sign-in's, user should be able to now see Sign in with <SSO> option.

note

Post sign-out, refresh page (for the first time) if you do not see Sign in with <SSO> option

For information about Okta API Scopes, refer here