openZro

Okta SSO with openZro Self-Hosted

Okta is a cloud-based identity and access management service for enterprise use, providing single sign-on, multi-factor authentication, and lifecycle management.

Add Okta as an external IdP directly in the openZro Management Dashboard. This is the simplest approach and recommended for most deployments.

Prerequisites

  • openZro self-hosted with embedded IdP enabled
  • Okta Workforce Identity Cloud account

Step 1: Start Creating OIDC Application in Okta

  1. Navigate to Okta Admin Dashboard
  2. Click ApplicationsApplications
  3. Click Create App Integration

Create app integration

  1. Select:
    • Sign-in method: OIDC - OpenID Connect
    • Application type: Web Application

OIDC Web Application

  1. Click Next
  2. Fill in:
    • App integration name: openZro
    • Grant type: Authorization Code
    • Leave redirect URIs empty for now (you'll add this in Step 3)
  3. Under Assignments, select an option for controlled access:
    • Allow everyone in your organization to access (recommended for testing)
    • Limit access to selected groups (for production)
    • Skip group assignment for now (assign later)

Assignments

  1. Don't click Save yet — keep this tab open and proceed to Step 2

Step 2: Get Redirect URL from openZro

  1. Open a new tab or window and log in to your openZro Dashboard
  2. Navigate to SettingsIdentity Providers
  3. Click Add Identity Provider
  4. Fill in the fields:
FieldValue
TypeOkta
NameOkta (or your preferred display name)
Client IDFrom Okta application (will fill after Step 3)
Client SecretFrom Okta application (will fill after Step 3)
IssuerYour Okta URL (e.g., https://your-org.okta.com)
  1. Copy the Redirect URL that openZro displays (but don't click Add Provider yet)

Copy redirect URL

Step 3: Complete Okta Application Setup

  1. Return to the Okta tab
  2. In the Sign-in redirect URIs field, paste the redirect URL you copied from openZro

Sign-in redirect URIs

  1. Click Save
  2. Note the Client ID and Client Secret — you'll need these for Step 4

Client ID

Step 4: Complete openZro Setup

  1. Return to the openZro tab
  2. Fill in the Client ID and Client Secret from Step 3

Complete configuration

  1. Click Add Provider

Step 5: Test the Connection

  1. Log out of openZro Dashboard
  2. On the login page, you should see an "Okta" button
  3. Click it and authenticate with your Okta credentials
  4. You should be redirected back to openZro and logged in. Unless your user approval setting were changed you will need to log back into your local admin account to approve the user.

Configuring JWT 'groups' Claim

To sync Okta groups with openZro, you need to configure Okta to include a groups claim in the ID token. There are two methods depending on your Okta setup.

This method works with Okta's org authorization server and is the simplest approach:

  1. In Okta Admin Console, go to ApplicationsApplications
  2. Select your openZro application
  3. Go to the Sign On tab
  4. Click Edit in the OpenID Connect ID Token section
  5. Under Group claim type, select Filter
  6. In Group claims filter:
    • Claim name: groups
    • Filter: Select Matches regex and enter .* (to include all groups)
  7. Click Save

Groups claim configuration

Method 2: Custom Authorization Server

If you're using a custom authorization server (required for access token claims):

  1. In Okta Admin Console, go to SecurityAPI
  2. Select your custom authorization server
  3. Go to the Claims tab
  4. Click Add Claim
  5. Configure the claim:
    • Name: groups
    • Include in token type: ID Token (select Always)
    • Value type: Groups
    • Filter: Select Matches regex and enter .*
  6. Click Create

Custom authorization server groups claim configuration

The groups claim has a limit of 100 groups. If a user belongs to more than 100 groups that match the filter, the request will fail. Use a more specific filter (e.g., ^openZro-.*) to limit the groups included.

Enable JWT Group Sync in openZro

After configuring Okta:

  1. In openZro Dashboard, go to SettingsGroups
  2. Enable JWT group sync
  3. Set JWT claim to groups
  4. Optionally configure JWT allow groups to restrict access

Standalone Setup (Advanced)

Use Okta as your primary identity provider instead of openZro's embedded IdP. This option gives you full control over authentication and user management, is recommended for experienced Okta administrators as it also requires additional setup and ongoing maintenance.

For most deployments, the embedded IdP is the simpler choice — it's built into openZro, fully integrated, and requires minimal configuration to get started. For this implementation, go back up to the Management Setup (Recommended) section above.

For detailed instructions on the standalone setup, see the Okta SSO with openZro Self-Hosted (Legacy) documentation.

If you prefer to have full control over authentication, consider self-hosted alternatives like PocketID.

Troubleshooting

"Invalid redirect URI" error

  • Ensure all redirect URIs are configured in Okta
  • Check for trailing slashes
  • Verify the application type matches the use case

"Invalid issuer" error

  • Ensure the issuer is set to use the Okta URL (not dynamic)
  • Verify the OIDC configuration endpoint returns valid JSON