Okta Self Serve SSO Steps - OIDC

Open the ORG:your-org menu on the top and go to Organization Details.

Select the Authentication tab.

Use the Add Identity Provider list on the right and select OpenID Connect 1.0 identity provider connection.

Fill in the Issuer as your Okta URL. For example, https://trial-8600099.okta.com/.

In the Okta Admin console, select Applications from the left panel.

Using the BrowsApp Integration Catalog, select Create New App or Create App Integration.

Choose OIDC - OpenID Connect as the protocol and select Web Application.

Fill in the details:

• App integration name: as SingleStore

• Select the logo for SingleStore for the application logo.

Under Client acting on behalf of a user, select Refresh Token.

From the SingleStore Helios Portal copy:

• Login Redirect URLs to Sign-in redirect URIs (clearing existing values first).

• Login initiation URI to Initiate login URI.

Replace the Sign-out redirect URLs with https://portal.singlestore.com.

Assign users to the app as appropriate and unselect Enable immediate access.

Select Save .

From the Okta portal copy:

• ClientID to ClientID

• ClientSecret to ClientSecret

Use the scope of the Connection Setting, and set the following scopes:

• email

• profile

• groups

• offline_access

Add your domain under domains and set the domain to Live.

Get your domain verified with either of the following:

• Domain verification

• Ask SingleStore customer support to verify it (only for customers with signed contracts).

Under General Settings, select Edit.

Under Refresh Token, switch to Rotate token after every use. This can cause some accidental logouts but increases security.

Switch Login initiated by to Either Okta or App and Save.

Under Okta API Scopes grant okta.users.read.self.

Assign the App to all appropriate users. Note that unless SCIM is also configured, being able to log in via single sign-on is just authentication. It provides no authorization and does not grant group membership in your SingleStore organization.