Skip to main content

To configure Appsmith to use Okta as an OIDC provider, follow the steps below:

Prerequisites

  1. A self-hosted Appsmith instance. See the installation guides for installing Appsmith.

  2. Before setting up Single Sign-On (SSO), ensure that you have already configured a custom domain for your instance.

  3. In Appsmith, go to Admin Settings > Authentication and click Enable on OIDC.

  4. Copy the Redirect URL from the OIDC configuration page to add it when creating the application in Okta.

OIDC configurations
OIDC configurations in Appsmith

Create application on Okta

  1. Log in to your Okta account and click Admin from the top right corner.

  2. Select Create a new app integration and configure as follows:

  • Sign-in method: OIDC - OpenID Connect

  • Application type: Web Application

  1. On the New Web App Integration page, go to the general settings:

a. Add a name for your app in the App integration name field.

b. Select Authorization Code and Refresh Token from the options in the Grant type section.

c. Add the Redirect URL copied from the OIDC configurations in Appsmith in the Sign-in redirect URIs field.

d. Scroll down to the Assignments section and pick an option from Controlled access configure the Accessibility of this application as required.

e. Click Save.

  1. On your new application, go to the General tab, and copy the Client ID and Client Secret to add them later in the OIDC configurations in Appsmith.
Image
  1. Open your account dropdown from the top-right corner of the navigation bar, and copy your Okta domain that is mentioned below your Email.
Image
  1. Open your Okta domain URL in your browser, add /.well-known/openid-configuration to the end, like:
https://your-okta-domain.okta.com/.well-known/openid-configuration

Copy the following URLs from the page:

  • authorization_endpoint

  • token_endpoint

  • userinfo_endpoint

  • jwks_uri

Register Okta in Appsmith

To complete the OIDC configuration, you have to register the identity provider on Appsmith. Go to Admin Settings > Authentication > OIDC, and follow the steps below:

  1. Add the Client ID and Client Secret copied from the Okta application into the respective fields.

  2. Add the URLs copied from the <your-okta-domain>/.well-known/openid-configuration page into OIDC configurations in Appsmith as per the table below:

OIDC configuration fieldOkta URL
Authorization URLauthorization_endpoint
Token URLtoken_endpoint
User Info URLuserinfo_endpoint
JWK Set URLjwks_uri
  1. In the Scope box, specify the scopes to be used by the application during authentication to authorize access to a user's details. By default, there are three scopes - openid, email, and profile.

Appsmith needs openid and email as mandatory scopes. It’s also highly recommended to use the offline_access scope to avoid errors related to expired access tokens and excessive re-login requests. For more information, see Okta API scopes.

  1. In the Username Attribute box, specify the name of the claim which represents the email of the user. The default value is email.

  2. Once you have added the details, click the SAVE & RESTART button to save the configuration and restart the instance.

info

If you're running Appsmith on a Kubernetes cluster with an HA configuration, after completing the setup, run the following command to ensure the new authentication settings are properly applied:

kubectl rollout restart deployment/appsmith -n

After the Appsmith instance restarts, try logging in again to your account. You'll see a login screen with the SIGN IN WITH OIDC SSO button.

OIDC-login
Login with OIDC SSO