Okta OIDC
Overview
Okta SSO integration with Akto enables centralized authentication using your existing identity provider. Akto uses OpenID Connect (OIDC) to authenticate users and enforce access control using identity and group attributes.
This integration allows your enterprise teams to manage authentication and authorization through Okta while Akto enforces role-based access during login.
Configure Okta Account for Akto SSO
You can configure Okta SSO and role mapping in a single flow that connects Okta identity, group claims, and Akto role enforcement.
Create Okta Application for Akto
Go to your Okta Admin Console and navigate to Applications. Select Create App Integration.
In Sign-in Method, choose OIDC - OpenID Connect. In Application type, choose Web Application.
In App integration name, enter
Akto.In Sign-in redirect URIs, add:
https://app.akto.io/authorization-code/callbackIn Initiate login URI, add the following URL if you use login initiated by Okta:
https://app.akto.io/okta-initiate-login?accountId=<your-akto-accountId>In Assignments, select required users or groups. Save the application.
Copy CLIENT_ID and CLIENT_SECRET from the application.
Configure Authorisation Server for Group Claims
Configure your Okta authorisation server to include a groups claim in the access token.
You can use existing Okta groups if your organisation already defines access control groups. You may create new groups only when separate access control is required for Akto.
For guidance on creating groups in Okta, refer here.
Group claims allow Akto to assign roles based on Okta group membership.
Generate Okta API Token
Navigate to:
Security → API → Tokens
Create a new token
Provide a name for the token
Configure IP restrictions:
Any IP
Note
Entering a valid Okta API token enables automatic group name suggestions in the mapping interface. Akto retrieves available groups from Okta, which helps reduce manual errors while defining mappings.
Copy the generated API token.
Setup Okta SSO in Akto Dashboard
Use the following configuration screen in Akto:
Navigate to Integrations → Okta SSO in the Akto dashboard.
You can see the same Okta OIDC steps here too. Click on the Next.
Enter the following fields:
Client ID: Okta application client ID
Client Secret: Okta application client secret
Authorisation Server ID: Okta authorisation server identifier
Domain Name: Okta domain (for example:
your-org.okta.com)API Token: Okta API token
Submit the configuration to enable SSO.
Configure Group-to-Role Mapping in Akto
After SSO configuration, define how Okta groups map to Akto roles.
Navigate to Group mapping & API access section and select Edit.
In Okta group name, enter the exact group name from Okta.
Group name must match the value present in the access token or retrieved through the Okta API.
In Akto role, select the corresponding role such as Admin, Security Engineer, Developer, or Guest.
Select Add to create the mapping.
Here, each Okta group maps to one Akto role, and each role can be assigned once.
Repeat the process for additional groups as required.
Add the Management API token in the same section if group claims are not included in the access token.
Save the configuration.
Role Override on Okta SSO Login
When you sign in using Okta SSO, your role in Akto is based on your current Okta group. If your group (and role) has changed in Okta, your role in Akto will automatically update and override your previous role the next time you log in.
Role Assignment During Login
Akto evaluates group membership during user login and assigns roles based on configured mappings.
Okta groups determine access levels
Akto roles enforce permissions inside the platform
API token enables fallback group resolution when required
This setup allows your teams to manage identity and access in Okta while Akto enforces consistent authorisation.
Last updated