# Okta SSO

Cortex supports configuring Single Sign-On (SSO) with Okta to protect access to your Cortex workspace. Additionally, you can configure [Okta SCIM with Cortex](https://docs.cortex.io/configure/settings/managing-users/provisioning-users-with-scim/okta-scim).

Cortex also supports an integration to track Okta teams and team members as entity owners as well as create Scorecards involving your Okta teams. See the [Okta integration page](https://docs.cortex.io/ingesting-data-into-cortex/integrations/okta) for more information.

## How to configure Okta SSO for Cortex

There are two options to configure Okta SSO in Cortex:

* Installing the [Cortex app in the Okta Integration Network (OIN)](https://www.okta.com/integrations/cortex/)
  * This option provides a simplified setup for most standard use cases. It is compatible with [Okta SCIM](https://docs.cortex.io/configure/settings/managing-users/provisioning-users-with-scim/okta-scim) provisioning features.
* Creating your own app
  * This option is best if you need more flexibility in configuring redirect behavior, want to configure automatic sign-on, or if you require multiple or advanced configurations.

You must have the `Configure OpenID Connector & SCIM` permission.

{% tabs %}
{% tab title="Cortex OIN app" %}
**Step 1: Install the Cortex OIN app**

Cortex's OIN app configures the initial steps for Okta SSO.

* Install the [Cortex app from Okta's app list](https://www.okta.com/integrations/cortex/).
  * Alternatively, in your Okta instance you can navigate to **Applications** then select Cortex from the **App integration catalog**.

**Step 2: Copy the client ID and client secret**

1. In Okta, navigate to the **Applications** page and select the Cortex app from your list of applications.
2. Click the **Sign On** tab. \\

   <div align="left"><figure><img src="https://826863033-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FJW7pYRxS4dHS3Hv6wxve%2Fuploads%2Fgit-blob-afd17eb3defb205a5e3349bc2ed2d058b3ca0198%2Fokta-sso.jpg?alt=media" alt="In Okta, click the Sign On tab to find the client ID and client secret." width="375"><figcaption></figcaption></figure></div>
3. Copy the values of the client ID and client secret. Store them in a secure location, as you will need these in the next steps.

**Step 3: Obtain your issuer URI**

In Okta, each authorization server has a unique issuer URI. See [Okta's instructions](https://developer.okta.com/docs/concepts/auth-servers/) for information on finding your Okta issuer URI. It should look like `https://{okta-domain}.okta.com`.

**Step 4: Configure SSO in Cortex**

1. In your Cortex workspace, navigate to [**Settings > OpenID Connector**](https://app.getcortexapp.com/admin/settings/oidc).
2. Configure the form:
   * **Type**: Select `Okta`.
   * **Identifier:** Enter the client ID from Step 2.
   * **Secret:** Enter the client secret from Step 2.
   * **Issuer:** Enter the issuer URI from Step 3.
3. At the bottom of the page, click **Save**.

After saving your configuration, users will only have the option to sign in to your Cortex workspace via your Okta account.
{% endtab %}

{% tab title="Your own app" %}
**Step 1: Create an Okta app integration**

1. From your Okta admin console, navigate to **Applications** and select **Create App Integration**.
2. In the modal under the sign-in methods, select **OIDC - Open ID Connect**. Under **Application type**, select **Web Appplication**.
3. On the next page, enter a name, logo, and grant type for the app.
   * To bypass the login screen and enable automatic sign on, see [Auto sign-on](#auto-sign-on) below.
4. Click **Save**.
   * You will be redirected to the app's overview page.
5. From the app's overview, click the **General** tab. Copy the values of the client ID and client secret. Store these in a secure location, as you will need them in the next steps.

**Auto sign-on**

You can bypass the login screen and enable automatic sign-on with the following configuration for your Okta app:

* **Grant type:** Authorization Code
* **Initiate login URI:** `https://cortexapp.auth0.com/login/callback`
* **Sign-in redirect URI:** `https://app.getcortexapp.com/login?tenantCode=TENANT_CODE`

**Step 2: Configure SSO in Cortex**

1. In your Cortex workspace, navigate to [**Settings > OpenID Connector**](https://app.getcortexapp.com/admin/settings/oidc).
2. Configure the form:
   * **Type**: Select `Okta`.
   * **Identifier:** Enter the client ID from Step 1.
   * **Secret:** Enter the client secret from Step 1.
   * **Issuer:** Enter your Okta account domain, e.g., `https://{okta-domain}.okta.com`.
3. At the bottom of the page, click **Save**.

After saving your configuration, users will only have the option to sign in to your Cortex workspace via your Okta account.
{% endtab %}
{% endtabs %}