# Okta

## Okta configuration

In Okta, you have to create a new Web application with `OIDC - OpenID Connect` Sign-in method:

<div align="left"><img src="https://3407253183-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fati3UyTUvoHySBuUDBQT%2Fuploads%2Fgit-blob-2ca8ff0eee603adde33dae8593fcc215fbd0eb35%2Fkouncil_okta_new_app.png?alt=media" alt="" width="820"></div>

In the next step you have to configure callback URI, which should look like this: `http://<your-application-url>/oauth`

<div align="left"><img src="https://3407253183-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fati3UyTUvoHySBuUDBQT%2Fuploads%2Fgit-blob-d32f78304214a6ebceb4386dc6df60fe16a5deb6%2Fkouncil_okta_callbacks.png?alt=media" alt="" width="820"></div>

Before saving configuration you have to configure application assignments.

<div align="left"><img src="https://3407253183-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fati3UyTUvoHySBuUDBQT%2Fuploads%2Fgit-blob-a3476c9bdbe245b43e3472c40c6b1ca86e434592%2Fkouncil_okta_assignments.png?alt=media" alt="" width="820"></div>

In the last step if you should configure groups claim filter to get user groups with access token. You can use any of the compare methods, `Equals`, `Matches regex`, etc. which will match your requirements and Okta groups configuration.

<div align="left"><img src="https://3407253183-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fati3UyTUvoHySBuUDBQT%2Fuploads%2Fgit-blob-c2c336d0ae5e2646c363062ca0eb840a4863cd53%2Fkouncil_okta_groups.png?alt=media" alt="" width="820"></div>

## Kouncil configuration

In Kouncil you can configure Okta SSO by adding below snippet to your configuration file. You have to replace `your-client-id`, `your-client-secret`, `your-application-url` and `your-domain-id`

```yaml
kouncil:
  auth:
    active-provider: sso
    sso:
      supported:
        providers: okta
spring:
  security:
    oauth2:
      client:
        registration:
          okta:
            client-id: <your-client-id>
            client-secret: <your-client-secret>
            redirect-uri: http://<your-application-url>/oauth
            scope: openid,profile,email,groups
        provider:
          okta:
            authorization-uri: https://<your-domain-id>/oauth2/v1/authorize
            token-uri: https://<your-domain-id>/oauth2/v1/token
            user-info-uri: https://<your-domain-id>/oauth2/v1/userinfo
            jwk-set-uri: https://<your-domain-id>/oauth2/v1/keys 
```