To support OpenID Connect (OIDC)-based Single Sign On (SSO) from Okta, you must first set up an application in Okta. To set up an OIDC-based application in Okta for SSO, perform the steps on this procedure.


Ensure you have an Okta account to sign in.


  1. Log in to your Okta account as an Admin user.
    The Okta home screen appears.
    Note: If you are in the Developer Console view, then you must switch to the Classic UI view by selecting Classic UI from the Developer Console drop-down list.
  2. To create a new application:
    1. In the upper navigation bar, click Applications > Add Application.
      The Add Application screen appears.
    2. Click Create New App.
      The Create a New Application Integration dialog box appears.
    3. From the Platform drop-drop menu, select Web.
    4. Select OpenID Connect as the Sign on method and click Create.
      The Create OpenID Connect Integration screen appears.
    5. Under the General Settings area, in the Application name text box, enter the name for your application.
    6. Under the CONFIGURE OPENID CONNECT area, in the Login redirect URIs text box, enter the redirect URL that your SASE Orchestrator application uses as the callback endpoint.
      In the SASE Orchestrator application, at the bottom of the Configure Authentication screen, you can find the redirect URL link. Ideally, the SASE Orchestrator redirect URL will be in this format: https://<Orchestrator URL>/login/ssologin/openidCallback.
    7. Click Save. The newly created application page appears.
    8. On the General tab, click Edit and select Refresh Token for Allowed grant types, and click Save.
      Note down the Client Credentials (Client ID and Client Secret) to be used during the SSO configuration in SASE Orchestrator.
    9. Click the Sign On tab and under the OpenID Connect ID Token area, click Edit.
    10. From the Groups claim type drop-down menu, select Expression. By default, Groups claim type is set to Filter.
    11. In the Groups claim expression textbox, enter the claim name that will be used in the token, and an Okta input expression statement that evaluates the token.
    12. Click Save.
      The application is setup in IDP. You can assign user groups and users to your SASE Orchestrator application.
  3. To assign groups and users to your SASE Orchestrator application:
    1. Go to Application > Applications and click on your SASE Orchestrator application link.
    2. On the Assignments tab, from the Assign drop-down menu, select Assign to Groups or Assign to People.
      The Assign <Application Name> to Groups or Assign <Application Name> to People dialog box appears.
    3. Click Assign next to available user groups or users you want to assign the SASE Orchestrator application and click Done.
      The users or user groups assigned to the SASE Orchestrator application will be displayed.


You have completed setting up an OIDC-based application in Okta for SSO.

What to do next

Configure Single Sign On in SASE Orchestrator.