> For the complete documentation index, see [llms.txt](https://docs.kouncil.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.kouncil.io/getting-started/configuration/authentication/sso/okta.md).

# Okta

## Okta configuration

In Okta, you have to create a new Web application with `OIDC - OpenID Connect` Sign-in method:

<div align="left"><img src="/files/7Vjg9RVH6fubyELzDFzr" alt="" width="820"></div>

In the next step you have to configure callback URI, which should look like this: `http://<your-application-url>/oauth`

<div align="left"><img src="/files/FzF4JwVEQMgFDehHZ8iN" alt="" width="820"></div>

Before saving configuration you have to configure application assignments.

<div align="left"><img src="/files/lcsj1tvnSduVIvOjLGVH" alt="" width="820"></div>

In the last step if you should configure groups claim filter to get user groups with access token. You can use any of the compare methods, `Equals`, `Matches regex`, etc. which will match your requirements and Okta groups configuration.

<div align="left"><img src="/files/KUQuVRyuiiPtaWDdIoDN" alt="" width="820"></div>

## Kouncil configuration

In Kouncil you can configure Okta SSO by adding below snippet to your configuration file. You have to replace `your-client-id`, `your-client-secret`, `your-application-url` and `your-domain-id`

```yaml
kouncil:
  auth:
    active-provider: sso
    sso:
      supported:
        providers: okta
spring:
  security:
    oauth2:
      client:
        registration:
          okta:
            client-id: <your-client-id>
            client-secret: <your-client-secret>
            redirect-uri: http://<your-application-url>/oauth
            scope: openid,profile,email,groups
        provider:
          okta:
            authorization-uri: https://<your-domain-id>/oauth2/v1/authorize
            token-uri: https://<your-domain-id>/oauth2/v1/token
            user-info-uri: https://<your-domain-id>/oauth2/v1/userinfo
            jwk-set-uri: https://<your-domain-id>/oauth2/v1/keys 
```
