# Okta Self Serve SSO Steps - OIDC

The following steps have to be executed in the SingleStore Helios Portal and the Okta Admin portal sequentially.

## In the SingleStore Helios Portal

1. Open the **ORG:your-org** menu on the top and go to **Organization Details**.

2. Select the **Authentication** tab.

3. Use the **Add Identity Provider** list on the right and select  `OpenID Connect 1.0` identity provider connection.

4. Fill in the **Issuer** as your Okta URL. For example, `https://trial-8600099.okta.com/`.

## In the Okta Admin Portal

1. In the Okta Admin console, select **Applications** from the left panel.

2. Using the **BrowsApp Integration Catalog**, select **Create New App** or **Create App Integration**.

3. Choose `OIDC - OpenID Connect` as the protocol and select `Web Application`.

4. Fill in the details:

   * **App integration name**: as *SingleStore*
   * Select the logo for SingleStore for the application logo.

5. Under **Client acting on behalf of a user**, select **Refresh Token**.

6. From the SingleStore Helios Portal copy:

   * **Login Redirect URLs** to **Sign-in redirect URIs**  (clearing existing values first).
   * **Login initiation URI** t&#x6F;**&#x20;Initiate login URI**.

7. Replace the **Sign-out redirect URLs** with `https://portal.singlestore.com`.

8. Assign users to the app as appropriate and unselect **Enable immediate access**.

9. Select **Save** .

## In the SingleStore Helios Portal

1. From the Okta portal copy:

   * **ClientID** t&#x6F;**&#x20;ClientID**
   * **ClientSecret** to **ClientSecret**

2. Use the scope of the **Connection Setting**, and set the following scopes:

   * email
   * profile
   * groups
   * offline\_access

3. [Add your domain](https://docs.singlestore.com/cloud/security/portal-access/troubleshooting-sso-connections/#section-idm4551296101785633961190540101.md) under domains and set the domain to `Live`.

4. Get your domain verified with either of the following:

   * [Domain verification](https://docs.singlestore.com/cloud/security/portal-access/identity-provider-connections/#section-idm4545492259355233864600968389.md)
   * Ask [SingleStore customer support](https://support.singlestore.com/) to verify it (only for customers with signed contracts).

## In the Okta Admin Portal

1. Under `General Settings`, select `Edit`.

2. Under `Refresh Token`, switch to `Rotate token after every use`. This can cause some accidental logouts but increases security.

3. Switch `Login initiated by` to `Either Okta or App` and `Save`.

4. Under `Okta API Scopes` grant `okta.users.read.self`.

5. Assign the App to all appropriate users. Note that unless SCIM is also configured, being able to log in via single sign-on is just authentication. It provides no authorization and does not grant group membership in your SingleStore organization.

***

Modified at: November 26, 2024

Source: [/cloud/security/portal-access/oidc/okta-self-serve-sso-steps-oidc/](https://docs.singlestore.com/cloud/security/portal-access/oidc/okta-self-serve-sso-steps-oidc/)

(An index of the documentation is available at /llms.txt)