Okta Self Serve SSO Steps - OIDC
On this page
The following steps have to be executed in the SingleStore Helios Portal and the Okta Admin portal sequentially.
In the SingleStore Helios Portal
-
Open the ORG:your-org menu on the top and go to Organization Details.
-
Select the Authentication tab.
-
Use the Add Identity Provider list on the right and select
OpenID Connect 1.
identity provider connection.0 -
Fill in the Issuer as your Okta URL.
For example, https://trial-8600099.
.okta. com/
In the Okta Admin Portal
-
In the Okta Admin console, select Applications from the left panel.
-
Using the BrowsApp Integration Catalog, select Create New App or Create App Integration.
-
Choose
OIDC - OpenID Connect
as the protocol and selectWeb Application
. -
Fill in the details:
-
App integration name: as SingleStore
-
Select the logo for SingleStore for the application logo.
-
-
Under Client acting on behalf of a user, select Refresh Token.
-
From the SingleStore Helios Portal copy:
-
Login Redirect URLs to Sign-in redirect URIs (clearing existing values first).
-
Login initiation URI to Initiate login URI.
-
-
Replace the Sign-out redirect URLs with
https://portal.
.singlestore. com -
Assign users to the app as appropriate and unselect Enable immediate access.
-
Select Save .
In the SingleStore Helios Portal
-
From the Okta portal copy:
-
ClientID to ClientID
-
ClientSecret to ClientSecret
-
-
Use the scope of the Connection Setting, and set the following scopes:
-
email
-
profile
-
groups
-
offline_
access
-
-
Add your domain under domains and set the domain to
Live
. -
Get your domain verified with either of the following:
-
Ask SingleStore customer support to verify it (only for customers with signed contracts).
In the Okta Admin Portal
-
Under
General Settings
, selectEdit
. -
Under
Refresh Token
, switch toRotate token after every use
.This can cause some accidental logouts but increases security. -
Switch
Login initiated by
toEither Okta or App
andSave
. -
Under
Okta API Scopes
grantokta.
.users. read. self -
Assign the App to all appropriate users.
Note that unless SCIM is also configured, being able to log in via single sign-on is just authentication. It provides no authorization and does not grant group membership in your SingleStore organization.
Last modified: November 26, 2024