# SSO with Okta

## General information

Openli supports what Okta calls "Service Provider (SP)-Initiated Authentication (SSO) Flow". This means that **you must log in via** [**Openli's webapp**](https://app.openli.com/), *not* via the "Openli" app in your Okta account. If you try to log in via the "Openli" app in Okta, you will receive the following error:

```
403 User performed OIDC single sign-on to app - failure: missing_initiate_login_uri
```

**Management of users** on your Openli account **must be done from within your Openli account**. Openli does not support automatic user provisioning.

## Configuration steps

### In your Openli account, part 1

[In the Openli *Settings* page](https://app.openli.com/settings), navigate to the *Single Sign-on* section and enable the option "*Use Okta for single sign-on*":

<figure><img src="/files/WHwaZ1LHAugzJwNHIdLS" alt=""><figcaption><p>Okta single sign-on settings in Openli</p></figcaption></figure>

### In your Okta account, part 1

Install the Openli application in your Okta instance.

On the Okta admin page, click on the Openli application and then navigate to the *Sign On* tab. Next, you will need to copy the values you see here for *Client ID* and *Client secret* to your Openli account.

### In your Openli account, part 2

Paste the values of *Client ID* and *Client secret* from your Okta account to the corresponding fields in your single sign-on settings in your Openli account.

### In your Okta account, part 2

On the Okta admin page, navigate to the link titled *OpenID Provider Metadata*. Click this link. In the JSON document shown, look for **a key titled `issuer`** and copy the URL-value (without quotes) to the *Okta client issuer* field in your Openli Single sign-on settings.

### Final steps

Contact <success@openli.com> and tell us which domain you want to register as your SSO domain. When we have confirmed that this is set up, your SSO domain will show under *Single sign-on* in your Openli settings.

All general considerations from [Setting up SSO (Single Sign-On)](/docs/general-openli-guides/setting-up-sso-single-sign-on.md)will now apply. Most importantly, make sure that the emails of employees/users you invite into your Openli account exactly match their Okta accounts. Your users can now sign in to their Openli accounts using Okta.

## Notes

To log in to the Openli platform using Okta, simply click the *Okta* button and authenticate with your Okta account:

<figure><img src="/files/OBJ498luV7YQHiDmTr3W" alt=""><figcaption><p>Log in with Okta using the "Okta" button instead of a username and password.</p></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.openli.com/docs/general-openli-guides/setting-up-sso-single-sign-on/sso-with-okta.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.