# Okta SSO

Cortex supports configuring Single Sign-On (SSO) with Okta to protect access to your Cortex workspace. Additionally, you can configure [Okta SCIM with Cortex](/configure/settings/managing-users/provisioning-users-with-scim/okta-scim.md).

Cortex also supports an integration to track Okta teams and team members as entity owners as well as create Scorecards involving your Okta teams. See the [Okta integration page](/ingesting-data-into-cortex/integrations/okta.md) for more information.

## Configuring Okta SSO for Cortex

Users with the `Configure OpenID Connector & SCIM` permission can configure Okta SSO in Cortex.

There are two options to configure Okta SSO:

* Installing the [Cortex app in the Okta Integration Network (OIN)](https://www.okta.com/integrations/cortex/)
  * This option provides a simplified setup for most standard use cases. It's compatible with [Okta SCIM](/configure/settings/managing-users/provisioning-users-with-scim/okta-scim.md) provisioning features.
* Creating your own app
  * This option is best if you need more flexibility in configuring redirect behavior, want to configure automatic sign-on, or if you require multiple or advanced configurations.

### Configuring Okta SSO via the Cortex OIN app

#### Step 1: Installing the Cortex OIN app

Cortex's OIN app configures the initial steps for Okta SSO.

1. Install the Cortex app from the [Okta OIN](https://www.okta.com/integrations/cortex/).

{% hint style="info" %}
You can also access the Cortex app from your Okta instance by navigating to **Applications** and selecting Cortex from the *App Integration Catalog*.
{% endhint %}

#### Step 2: Copying the client ID and client secret

1. In Okta, navigate to the **Applications** page and select the Cortex app from your list of applications.
2. Click the **Sign On** tab.
3. Copy the values of the client ID and client secret. Store them in a secure location, as you will need these in the next steps.

   <div data-gb-custom-block data-tag="hint" data-style="info" class="hint hint-info"><p>Be sure to copy the client ID and the client secret and save them for later. Do not skip this step—you can only view these values once!</p></div>

#### Step 3: Obtaining the issuer URI

In Okta, each authorization server has a unique issuer URI. See [Okta's instructions](https://developer.okta.com/docs/concepts/auth-servers/) for information on finding your Okta issuer URI. It should look like `https://{okta-domain}.okta.com`.

#### Step 4: Configuring SSO in Cortex

1. Log in to Cortex.
2. From the main sidebar, click your avatar in the bottom-left corner.
3. Click **Settings**.
4. From the **Settings** menu, scroll to the **Security and access** section, then select **OpenID connector**. The **OpenID connector** page is displayed.
5. Enter the following values:
   * From the **Type** drop-down menu, select **Okta**.
   * In the **Identifier** field, enter your client ID.
   * In the **Secret** field, enter your client secret.
   * In the **Issuer** field, enter the issuer URI.
6. Click **Save**.

Once saved, users will only be able to sign in to Cortex using their Okta account.

### Configuring Okta SSO via your own app

#### Step 1: Creating an Okta app integration

1. Log in to the Okta admin console.
2. Navigate to **Applications**, then select **Create App Integration**.
3. In the modal under the sign-in methods, select **OIDC - Open ID Connect**. Under **Application type**, select **Web Appplication**.
4. On the next page, enter a name, logo, and grant type for the app.
   * To bypass the login screen and enable automatic sign on, see [Auto sign-on](#auto-sign-on) below.
5. Click **Save**.
   * You will be redirected to the app's overview page.
6. From the app's overview, click the **General** tab. Copy the values of the client ID and client secret. Store these in a secure location, as you will need them in the next steps.

**Auto sign-on**

You can bypass the login screen and enable automatic sign-on with the following configuration for your Okta app:

* **Grant type:** Authorization Code
* **Initiate login URI:** `https://cortexapp.auth0.com/login/callback`
* **Sign-in redirect URI:** `https://app.getcortexapp.com/login?tenantCode=TENANT_CODE`

#### Step 2: Configuring SSO in Cortex

1. Log in to Cortex.
2. From the main sidebar, click your avatar in the bottom-left corner.
3. Click **Settings**.
4. From the **Settings** menu, scroll to the **Security and access** section, then select **OpenID connector**. The **OpenID connector** page is displayed.
5. Enter the following values:
   * From the **Type** drop-down menu, select **Okta**.
   * In the **Identifier** field, enter your client ID.
   * In the **Secret** field, enter your client secret.
   * In the **Issuer** field, enter your Okta account domain, e.g. `https://{okta-domain}.okta.com`.
6. Click **Save**.

Once saved, users will only be able to sign in to Cortex using their Okta account.

## Troubleshooting and FAQ

See frequently asked questions below.

**I see authentication failures and/or can't to connect to Okta**

Follow these steps:

1. Check your network connectivity from Cortex to Okta endpoints.
2. Verify no firewall rules or network changes are blocking outbound traffic.
3. Confirm required Okta domains/endpoints are reachable.

**I see TLS handshake failures in the logs / The TLS handshake could not complete, blocking the authentication flow**

Follow these steps:

1. Validate that outbound HTTPS (port 443) is allowed.
2. Check for SSL/TLS inspection or proxy interference.
3. Confirm certificates are not blocked or altered.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.cortex.io/configure/settings/managing-users/configuring-sso/okta.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.