Okta SSO

Cortex supports configuring Single Sign-On (SSO) with Okta to protect access to your Cortex workspace. Additionally, you can configure Okta SCIM with Cortex.

Cortex also supports an integration to track Okta teams and team members as entity owners as well as create Scorecards involving your Okta teams. See the Okta integration page for more information.

How to configure Okta SSO for Cortex

There are two options to configure Okta SSO in Cortex:

Installing the Cortex app in the Okta Integration Network (OIN)
- This option provides a simplified setup for most standard use cases. It is compatible with Okta SCIM provisioning features.
Creating your own app
- This option is best if you need more flexibility in configuring redirect behavior, want to configure automatic sign-on, or if you require multiple or advanced configurations.

You must have the Configure OpenID Connector & SCIM permission.

Step 1: Install the Cortex OIN app

Cortex's OIN app configures the initial steps for Okta SSO.

Install the Cortex app from Okta's app list.
- Alternatively, in your Okta instance you can navigate to Applications then select Cortex from the App integration catalog.

Step 2: Copy the client ID and client secret

In Okta, navigate to the Applications page and select the Cortex app from your list of applications.
Click the Sign On tab.
Copy the values of the client ID and client secret. Store them in a secure location, as you will need these in the next steps.

Step 3: Obtain your issuer URI

In Okta, each authorization server has a unique issuer URI. See Okta's instructions for information on finding your Okta issuer URI. It should look like https://{okta-domain}.okta.com.

Step 4: Configure SSO in Cortex

In your Cortex workspace, navigate to Settings > OpenID Connector.
Configure the form:
- Type: Select Okta.
- Identifier: Enter the client ID from Step 2.
- Secret: Enter the client secret from Step 2.
- Issuer: Enter the issuer URI from Step 3.
At the bottom of the page, click Save.

After saving your configuration, users will only have the option to sign in to your Cortex workspace via your Okta account.

Step 1: Create an Okta app integration

From your Okta admin console, navigate to Applications and select Create App Integration.
In the modal under the sign-in methods, select OIDC - Open ID Connect. Under Application type, select Web Appplication.
On the next page, enter a name, logo, and grant type for the app.
- To bypass the login screen and enable automatic sign on, see Auto sign-on below.
Click Save.
- You will be redirected to the app's overview page.
From the app's overview, click the General tab. Copy the values of the client ID and client secret. Store these in a secure location, as you will need them in the next steps.

Self-managed Cortex users should replace existing URI under Sign-in redirect URIs with https://cortex.backend.url/login/oauth2/code/okta. The Sign-out redirect URIs should be https://cortex.backend.url/logout.

Auto sign-on

You can bypass the login screen and enable automatic sign-on with the following configuration for your Okta app:

Grant type: Authorization Code
Initiate login URI: https://cortexapp.auth0.com/login/callback
Sign-in redirect URI: https://app.getcortexapp.com/login?tenantCode=TENANT_CODE

Step 2: Configure SSO in Cortex

In your Cortex workspace, navigate to Settings > OpenID Connector.
Configure the form:
- Type: Select Okta.
- Identifier: Enter the client ID from Step 1.
- Secret: Enter the client secret from Step 1.
- Issuer: Enter your Okta account domain, e.g., https://{okta-domain}.okta.com.
At the bottom of the page, click Save.

After saving your configuration, users will only have the option to sign in to your Cortex workspace via your Okta account.

Last updated 2 days ago

Was this helpful?