> For the complete documentation index, see [llms.txt](https://docs.openli.com/docs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.openli.com/docs/general-openli-guides/setting-up-sso-single-sign-on/sso-with-okta.md).

# SSO with Okta

## General information

Openli supports what Okta calls "Service Provider (SP)-Initiated Authentication (SSO) Flow". This means that **you must log in via** [**Openli's webapp**](https://app.openli.com/), *not* via the "Openli" app in your Okta account. If you try to log in via the "Openli" app in Okta, you will receive the following error:

```
403 User performed OIDC single sign-on to app - failure: missing_initiate_login_uri
```

**Management of users** on your Openli account **must be done from within your Openli account**. Openli does not support automatic user provisioning.

## Configuration steps

### In your Openli account, part 1

[In the Openli *Settings* page](https://app.openli.com/settings), navigate to the *Single Sign-on* section and enable the option "*Use Okta for single sign-on*":

<figure><img src="/files/WHwaZ1LHAugzJwNHIdLS" alt=""><figcaption><p>Okta single sign-on settings in Openli</p></figcaption></figure>

### In your Okta account, part 1

Install the Openli application in your Okta instance.

On the Okta admin page, click on the Openli application and then navigate to the *Sign On* tab. Next, you will need to copy the values you see here for *Client ID* and *Client secret* to your Openli account.

### In your Openli account, part 2

Paste the values of *Client ID* and *Client secret* from your Okta account to the corresponding fields in your single sign-on settings in your Openli account.

### In your Okta account, part 2

On the Okta admin page, navigate to the link titled *OpenID Provider Metadata*. Click this link. In the JSON document shown, look for **a key titled `issuer`** and copy the URL-value (without quotes) to the *Okta client issuer* field in your Openli Single sign-on settings.

### Final steps

Contact <success@openli.com> and tell us which domain you want to register as your SSO domain. When we have confirmed that this is set up, your SSO domain will show under *Single sign-on* in your Openli settings.

All general considerations from [Setting up SSO (Single Sign-On)](/docs/general-openli-guides/setting-up-sso-single-sign-on.md)will now apply. Most importantly, make sure that the emails of employees/users you invite into your Openli account exactly match their Okta accounts. Your users can now sign in to their Openli accounts using Okta.

## Notes

To log in to the Openli platform using Okta, simply click the *Okta* button and authenticate with your Okta account:

<figure><img src="/files/OBJ498luV7YQHiDmTr3W" alt=""><figcaption><p>Log in with Okta using the "Okta" button instead of a username and password.</p></figcaption></figure>
