SSO Provider Setup — Okta
This guide explains how to configure Okta as an OpenID Connect (OIDC) identity provider for EA GraphLink.
Prerequisites
- An Okta account (Developer Edition or Trial: https://developer.okta.com/signup/)
- Admin access to the Okta admin console
- EA GraphLink running and accessible (e.g., http://localhost:8090)
Step 1: Create an OIDC Application
- Sign in to the Okta admin console (https://{your-domain}-admin.okta.com).
- Navigate to Applications → Applications.
- Click Create App Integration.
- Select:
- Sign-in method: OIDC – OpenID Connect
- Application type: Web Application
- Click Next.
- Configure the application:
| Field | Value |
|---|---|
| App integration name | GraphLink (or any name you prefer) |
| Grant type | Authorization Code (checked by default) |
| Sign-in redirect URIs | Add both URIs from GraphLink’s SSO Configuration page (see below) |
| Sign-out redirect URIs | (Optional) |
| Controlled access | Allow everyone in your organization to access (for quick testing) |
Redirect URIs to Register
You must add both of the following URIs (replace http://localhost:8090 with your actual GraphLink URL):
http://yourserver:8090/signin-oidchttp://localhost:8090/signin-oidc
Important: The above URI is displayed on GraphLink’s SSO Configuration page under Connection Details. Copy from there to avoid typos.
- Click Save.
Step 2: Note the Client Credentials
After saving, you’ll be on the application’s General tab.
| Value | Where to Find |
|---|---|
| Client ID | Shown directly on the General tab |
| Client Secret | Click the eye icon to reveal |
Keep these values ready for GraphLink configuration.
Step 3: Determine the Metadata URL
Okta has two types of authorization servers. The one you use determines your Metadata URL:
Option A: Custom Authorization Server (Recommended)
This is the recommended option because it supports custom claims (e.g., groups).
- Go to Security → API → Authorization Servers.
- Click on the default authorization server.
- On the Settings tab, note the Issuer URI (e.g., https://dev-12345678.okta.com/oauth2/default).
- Your Metadata URL is:
https://dev-12345678.okta.com/oauth2/default/.well-known/openid-configuration
Option B: Org-Level Authorization Server
Uses the base domain without /oauth2/default. This does not support custom claims (groups won’t work).
https://dev-12345678.okta.com/.well-known/openid-configuration
Important: If you plan to use Group-Based Restriction, you must use the Custom Authorization Server (Option A). The org-level server does not support custom claims.
Step 4: Add Access Policy (Custom Authorization Server Only)
If using the default custom authorization server, you need an Access Policy that permits your application:
- Go to Security → API → Authorization Servers → default → Access Policies tab.
- If no policy exists, click Add New Access Policy:
- Name: GraphLink Policy
- Description: GraphLink access
- Assigned to clients: All clients
- Click Create Policy.
- Click Add Rule under the policy:
| Field | Value |
|---|---|
| Rule Name | Allow GraphLink |
| Grant type | Authorization Code (checked) |
| User is | Any user assigned the app |
| Scopes requested | Any scopes |
- Click Create Rule.
Why this is needed: Without an Access Policy rule, Okta returns a 400 Bad Request error: “Policy evaluation failed for this request, please check the policy configurations.” This was encountered during testing and is required for the custom authorization server to issue tokens.
Step 5: Configure Groups Claim (Optional — For Group-Based Restriction)
By default, Okta does not include group memberships in the ID token. If you want to use GraphLink’s Group-Based Restriction feature, you must add a custom claim.
- Go to Security → API → Authorization Servers → default → Claims tab.
- Click Add Claim.
- Configure:
| Field | Value |
|---|---|
| Name | groups |
| Include in token type | ID Token → Always |
| Value type | Groups |
| Filter | Matches regex → .* |
| Include in | Any scope |
- Click Create.
Common Mistake: Do not use “Starts with” as the filter type with .* as the value. “Starts with” does a literal prefix match, not regex. A claim configured with “Starts with .*” will match no groups because no group name literally starts with the characters .*. Always select “Matches regex” when using .*.
Verify Using Token Preview
After adding the claim, verify it works:
- Go to Security → API → Authorization Servers → default → Token Preview tab.
- Fill in:
- Grant type: Authorization Code
- User: Select your test user
- Client: Select GraphLink
- Scopes: openid profile email
- Click Preview Token.
- Select ID Token from the dropdown.
- Look for “groups” in the token payload. It should contain an array of group names.
If groups is missing, double-check:
- The claim’s “Include in token type” is set to ID Token (not Access Token).
- The filter is “Matches regex” (not “Starts with”).
- The test user is actually a member of at least one Okta group.
Step 6: Assign Users to the Application
If you selected “Limit access to selected groups” during app creation, or if you want to explicitly assign users:
- Go to Applications → GraphLink → Assignments tab.
- Click Assign → Assign to People (or Assign to Groups).
- Select the users or groups.
- Click Assign → Done.
Note: If the Assignments tab shows “This app is implicitly assigned to users” with Federation Broker Mode, all authenticated users in your org can access the app. No manual assignment needed.
Step 7: Configure GraphLink
- Log in to EA GraphLink as Admin.
- Go to SSO Configuration.
- Enable SSO.
- Fill in:
| GraphLink Field | Okta Value |
|---|---|
| Metadata URL | https://{your-domain}.okta.com/oauth2/default/.well-known/openid-configuration |
| Client ID | From Step 2 |
| Client Secret | From Step 2 |
| Scopes | openid, profile, email (add groups if using group restriction) |
| Unique ID Attribute | sub |
| Username Attribute | preferred_username (Okta uses login name, often an email address) |
If Using Group-Based Restriction:
- Enable Group-Based Restriction.
- Set Groups Attribute Name to groups.
- Add your Okta group names to the appropriate role rows (Admin / Query Executor).
Step 8: Test and Save
- Click Test Connection.
- Authenticate in the Okta popup.
- Verify the result shows “Connection Successful” (green) or “Connection Successful — Warning” (yellow).
- Check the claims table to confirm sub, preferred_username, and groups (if configured) are present.
- Click Save.
Okta-Specific Notes
Username Claim
Okta emits preferred_username when the profile scope is granted. This contains the user’s login name (typically their email address). No special configuration needed.
Redirect URI Validation
Okta strictly validates redirect URIs. Ensure URI is registered exactly as displayed in GraphLink’s SSO Configuration page, including the protocol (http vs https) and port number.
Troubleshooting
| Error | Cause | Fix |
|---|---|---|
| 400 Bad Request — Policy evaluation failed | No Access Policy rule on the authorization server | Add an Access Policy with a rule (Step 4) |
| invalid_redirect_uri | Redirect URI not registered in Okta | Add URI to the app’s Sign-in redirect URIs |
| User is not assigned to the client application | User not assigned to the app | Assign the user or their group under the Assignments tab |
| Group claim groups not found in token | Custom claim not added, or added to wrong auth server | Add the groups claim on the default auth server (Step 5) |
| Group claim missing despite adding it | Filter uses “Starts with” instead of “Matches regex” | Edit the claim, change filter to “Matches regex” → .* |
| Group claim missing despite correct config | Using org-level auth server instead of custom | Switch metadata URL to use /oauth2/default/ path |
Subscribe to our Newsletter
Get product updates, feature tips, and integration insights in your inbox.
