# Okta and OpenID Connect

## Requirement

Administrator account in Okta.

## Supported Features

Immuta's OpenID Connect integration supports the following features

* Service Provider (SP)-Initiated Authentication (SSO) Flow
* Identity Provider (IDP)-Initiated Authentication (SSO) Flow

## Configuration Steps

### 1 - Add the Immuta Application in Okta

1. Log in to Okta as an Admin, navigate to the **Applications** tab, and click **Add Application**.

   ![](https://1279220422-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F0QkDA8tcaDNby4bsGLcg%2Fuploads%2Fgit-blob-a7b747fad2e5be8eb7b5d0d71429fc8d95dbb763%2Fadd-application.png?alt=media)
2. Search for **Immuta** in the search bar and click **Add**.
3. Choose a name for your integration and click **Next**. Then select the **OpenID Connect** button.
4. Scroll down and enter the **Base URL** for your Immuta tenant.
5. Enter the **IAM ID** for your Immuta OIDC integration (if you have not created an IAM ID, you will complete that step in the [next section](#2-add-openid-connect-in-immuta)).
6. Click **Done** and once the page reloads, navigate back to the **Sign On** tab and copy down the **Client ID** and **Client secret**.

   ![](https://1279220422-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F0QkDA8tcaDNby4bsGLcg%2Fuploads%2Fgit-blob-9e2a0d04ee36fc94b8174dde98563b0c9a9dce81%2Fclient-id-updated.png?alt=media)

### 2 - Add OpenID Connect in Immuta

1. Log in to Immuta and click the **App Settings** icon in the left sidebar.
2. Click the **Add IAM** button and enter a **Display Name**.
3. Select **OpenID** from the Identity Provider Type dropdown menu.
4. If required, navigate back to Okta and enter the **IAM ID** below the **Base URL** then complete the steps from the Okta section.

   ![](https://1279220422-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F0QkDA8tcaDNby4bsGLcg%2Fuploads%2Fgit-blob-138694c1f9f5d2938525ac5c7db23a30c84d5916%2Fokta-sign-on.png?alt=media)

### 3 - Configure OpenID Connect

1. In the Identity Management section of the Immuta console, enter the **Client ID** and **Client Secret** you copied from Okta in the previous section.
2. Enter the following URL in the **Discover URL** field: `https://<your_okta_workspace.com>/.well-known/openid-configuration`.
3. Opt to add additional **Scopes**.
4. Opt to **Enable SCIM support for OpenID** by clicking the checkbox, which will generate a SCIM API Key.
   * Copy the SCIM URL and API key generated, and then [save your changes](#user-content-fn-1)[^1].
   * Validate the URL and credentials within the identity provider application.
5. In the **Profile Schema** section, map attributes in OpenID to automatically fill in a user's Immuta profile. *Note: Fields that you specify in this schema will not be editable by users within Immuta.*
6. Opt to **Allow Identity Provider Initiated Single Sign On** to use the IDP-Initiated SSO feature by selecting the checkbox.
7. Opt to **Migrate Users** from another IAM by selecting the checkbox.

{% hint style="warning" %}
**Multiple user accounts cannot have the same email address**

If you register user accounts that have the same email address as an existing Immuta user account, the email field for the subsequent user accounts will be left empty. For more details, see the [Identity managers reference guide](https://documentation.immuta.com/2024.2/people/reference-guides/identity-managers#limitations).
{% endhint %}

### 4 - Test Connection and Save Configuration

1. Click the **Test Connection** button.
2. Once the connection is successful, click the **Test User Login** button.
3. Click **Save**.

[^1]: You can either finish configuring your IAM on the app settings page before clicking save, or you can save now and return to the app settings page to edit the IAM configuration after saving.