Okta Self Serve SSO Steps - OIDC

The following steps have to be executed in the SingleStore Helios Portal and the Okta Admin portal sequentially.

In the SingleStore Helios Portal

  1. Open the ORG:your-org menu on the top and go to Organization Details.

  2. Select the Authentication tab.

  3. Use the Add Identity Provider list on the right and select OpenID Connect 1.0 identity provider connection.

  4. Fill in the Issuer as your Okta URL. For example, https://trial-8600099.okta.com/.

In the Okta Admin Portal

  1. In the Okta Admin console, select Applications from the left panel.

  2. Using the BrowsApp Integration Catalog, select Create New App or Create App Integration.

  3. Choose OIDC - OpenID Connect as the protocol and select Web Application.

  4. Fill in the details:

    • App integration name: as SingleStore

    • Select the logo for SingleStore for the application logo.

  5. Under Client acting on behalf of a user, select Refresh Token.

  6. From the SingleStore Helios Portal copy:

    • Login Redirect URLs to Sign-in redirect URIs (clearing existing values first).

    • Login initiation URI to Initiate login URI.

  7. Replace the Sign-out redirect URLs with https://portal.singlestore.com.

  8. Assign users to the app as appropriate and unselect Enable immediate access.

  9. Select Save .

In the SingleStore Helios Portal

  1. From the Okta portal copy:

    • ClientID to ClientID

    • ClientSecret to ClientSecret

  2. Use the scope of the Connection Setting, and set the following scopes:

    • email

    • profile

    • groups

    • offline_access

  3. Add your domain under domains and set the domain to Live.

  4. Get your domain verified with either of the following:

In the Okta Admin Portal

  1. Under General Settings, select Edit.

  2. Under Refresh Token, switch to Rotate token after every use. This can cause some accidental logouts but increases security.

  3. Switch Login initiated by to Either Okta or App and Save.

  4. Under Okta API Scopes grant okta.users.read.self.

  5. Assign the App to all appropriate users. Note that unless SCIM is also configured, being able to log in via single sign-on is just authentication. It provides no authorization and does not grant group membership in your SingleStore organization.

Last modified: July 16, 2024

Was this article helpful?