> ## Documentation Index
> Fetch the complete documentation index at: https://wundergraphinc-brendan-add-sof-link.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Okta

> Setting up SSO with Okta

### Steps to set Okta as an OIDC identity provider

<Steps>
  <Step>
    Navigate to the Applications view within your Okta Administrator Dashboard.
  </Step>

  <Step>
    Click on **Create App Integration**.
  </Step>

  <Step>
    A dialog appears, select **OIDC - OpenID Connect** as the sign-in method.
  </Step>

  <Step>
    For the application type, select **Web Application** and click on **Next**.

    <Frame>
      <img src="https://mintcdn.com/wundergraphinc-brendan-add-sof-link/4e0tdWXXIKi1QWpK/images/studio/sso/create-new-app-integration-setup.png?fit=max&auto=format&n=4e0tdWXXIKi1QWpK&q=85&s=17a1c7363fd59e249a642536ab5f5cab" alt="Create new app integration page for selecting sign-in method and application type" title="Create new app integration setup" width="2422" height="1960" data-path="images/studio/sso/create-new-app-integration-setup.png" />
    </Frame>
  </Step>

  <Step>
    Now give the app a name.

    <Frame>
      <img src="https://mintcdn.com/wundergraphinc-brendan-add-sof-link/4e0tdWXXIKi1QWpK/images/studio/sso/app-integration-name-settings.png?fit=max&auto=format&n=4e0tdWXXIKi1QWpK&q=85&s=5123ced7cad6089f486ab877a1e84a38" alt="Web app integration settings showing App integration name field set to My Web App" title="App integration name settings" width="2438" height="1028" data-path="images/studio/sso/app-integration-name-settings.png" />

      />
    </Frame>
  </Step>

  <Step>
    For **Grant Type,** keep the defaults.
  </Step>

  <Step>
    Scroll down to the **Assignments** section and select one of the options based on your choice and then click on **Save.**

    <Frame>
      <img src="https://mintcdn.com/wundergraphinc-brendan-add-sof-link/4e0tdWXXIKi1QWpK/images/studio/sso/assign-controlled-access-to-app.png?fit=max&auto=format&n=4e0tdWXXIKi1QWpK&q=85&s=dc275cc8fd6052132e33443c09edba1d" alt="Cosmo Docs access assignment dialog with options for group or org-wide access" title="Assign controlled access to app" width="2356" height="652" data-path="images/studio/sso/assign-controlled-access-to-app.png" />

      />
    </Frame>
  </Step>

  <Step>
    Copy the **Client ID** and **Client Secret.**

    <Frame>
      <img src="https://mintcdn.com/wundergraphinc-brendan-add-sof-link/4e0tdWXXIKi1QWpK/images/studio/sso/client-credentials-editing-view.png?fit=max&auto=format&n=4e0tdWXXIKi1QWpK&q=85&s=0e2401a6c86dd4a678cc383f0559c9dd" alt="Client Credentials section editing client ID for OAuth flows" title="Client credentials editing view" width="1704" height="1958" data-path="images/studio/sso/client-credentials-editing-view.png" />
    </Frame>
  </Step>

  <Step>
    Navigate to **Security** -> **API**.

    <Frame>
      <img src="https://mintcdn.com/wundergraphinc-brendan-add-sof-link/4e0tdWXXIKi1QWpK/images/studio/sso/edit-client-credentials-for-web-app.png?fit=max&auto=format&n=4e0tdWXXIKi1QWpK&q=85&s=6df9a27485201e3c044938846e19d9fd" alt="Client Credentials section editing client ID and authentication settings" title="Edit client credentials for web app" width="2658" height="2052" data-path="images/studio/sso/edit-client-credentials-for-web-app.png" />
    </Frame>
  </Step>

  <Step>
    Select the **default** authorization server.
  </Step>

  <Step>
    Copy the **Metadata URI.**

    <Frame>
      <img src="https://mintcdn.com/wundergraphinc-brendan-add-sof-link/4e0tdWXXIKi1QWpK/images/studio/sso/default-authorization-server-metadata.png?fit=max&auto=format&n=4e0tdWXXIKi1QWpK&q=85&s=a887621c789fae3aad0ba16da75fc278" alt="Default authorization server settings highlighting metadata URI in Cosmo Docs" title="Default authorization server metadata" width="2218" height="1342" data-path="images/studio/sso/default-authorization-server-metadata.png" />
    </Frame>
  </Step>

  <Step>
    Navigate to the settings page on Cosmo.

    <Frame>
      <img src="https://mintcdn.com/wundergraphinc-brendan-add-sof-link/4e0tdWXXIKi1QWpK/images/studio/sso/organization-settings-with-ai-rbac-scim.png?fit=max&auto=format&n=4e0tdWXXIKi1QWpK&q=85&s=f5286d46d8fab2bfb950c8666955c3cc" alt="Organization settings showing name, slug, and status of AI, RBAC, and SCIM features" title="Organization settings with AI, RBAC, SCIM" width="2796" height="1902" data-path="images/studio/sso/organization-settings-with-ai-rbac-scim.png" />
    </Frame>
  </Step>

  <Step>
    Give the connection a name, paste the **Metadata URI** copied before, into the  **Discovery Endpoint,**and paste the **Client ID** and  **Client secret** copied before into the **Client ID** and  **Client Secret fields respectively,**and then click on **Connect.**

    <Frame>
      <img src="https://mintcdn.com/wundergraphinc-brendan-add-sof-link/4e0tdWXXIKi1QWpK/images/studio/sso/oidc-provider-configuration-form.png?fit=max&auto=format&n=4e0tdWXXIKi1QWpK&q=85&s=f7f576f23d0537ec788782f755d51eea" alt="Connect OpenID Connect Provider form with fields for name, endpoint, and credentials" title="OIDC provider configuration form" width="2786" height="2122" data-path="images/studio/sso/oidc-provider-configuration-form.png" />
    </Frame>
  </Step>

  <Step>
    Configure the mapping between the roles in Cosmo and the user groups in Okta. The field **Group in the provider** can be populated with the name of the group or a regex to match the user groups. Once all the mappers are configured, click on **Save**.

    <Frame>
      <img src="https://mintcdn.com/wundergraphinc-brendan-add-sof-link/4e0tdWXXIKi1QWpK/images/studio/sso/group-to-role-mapping-dialog.png?fit=max&auto=format&n=4e0tdWXXIKi1QWpK&q=85&s=421ed2a777fbb7c8c2db9f207d14fc11" alt="Group mapper configuration dialog linking provider groups to Cosmo roles" title="Group-to-role mapping dialog" width="2774" height="1972" data-path="images/studio/sso/group-to-role-mapping-dialog.png" />
    </Frame>
  </Step>

  <Step>
    Copy the sign-in and sign-out redirect URIs displayed in the dialog.

    <Frame>
      <img src="https://mintcdn.com/wundergraphinc-brendan-add-sof-link/4e0tdWXXIKi1QWpK/images/studio/sso/oidc-provider-configuration-steps.png?fit=max&auto=format&n=4e0tdWXXIKi1QWpK&q=85&s=d4fde4c151a80bfff14874c685500bff" alt="Steps to configure OIDC provider with sign-in and sign-out redirect URLs" title="OIDC provider configuration steps" width="2784" height="1848" data-path="images/studio/sso/oidc-provider-configuration-steps.png" />
    </Frame>
  </Step>

  <Step>
    Navigate back to the application created on Okta and populate the Sign-in and Sign-out redirect URIs with the above-copied values. Click on **Save**.

    <Frame>
      <img src="https://mintcdn.com/wundergraphinc-brendan-add-sof-link/4e0tdWXXIKi1QWpK/images/studio/sso/login-configuration-with-redirect-urls.png?fit=max&auto=format&n=4e0tdWXXIKi1QWpK&q=85&s=c9e90ee286ae1c60933613e8ca510ec6" alt="Login configuration specifying sign-in and sign-out redirect URIs and login initiator" title="Login configuration with redirect URLs" width="768" height="453" data-path="images/studio/sso/login-configuration-with-redirect-urls.png" />
    </Frame>
  </Step>

  <Step>
    Navigate to Security-> API, and click on the **default** auth server. Navigate to the **claims** tab and then click on **Add Claim.**

    <Frame>
      <img src="https://mintcdn.com/wundergraphinc-brendan-add-sof-link/lp_f9DXOip40YgZM/images/studio/sso/access-policies-with-token-preview.png?fit=max&auto=format&n=lp_f9DXOip40YgZM&q=85&s=ac5ca882e444321d49bfb80b2d5979ab" alt="Access Policies section showing claims list and Token Preview button" title="Access Policies with Token Preview" width="2340" height="1496" data-path="images/studio/sso/access-policies-with-token-preview.png" />
    </Frame>
  </Step>

  <Step>
    Name the claim "ssoGroups", and include it in the **ID Token,** for the value type select **Groups,** and  for the filter select **Matches regex** and populate the field with  **".\*".**Click on **Create.**

    <Frame>
      <img src="https://mintcdn.com/wundergraphinc-brendan-add-sof-link/lp_f9DXOip40YgZM/images/studio/sso/add-claim-dialog-for-group-filters.png?fit=max&auto=format&n=lp_f9DXOip40YgZM&q=85&s=cc61db7638b84b12a31467f94ccded6a" alt="Add Claim dialog for ssoGroups with filters, scopes, and create button" title="Add Claim dialog for group filters" width="768" height="586" data-path="images/studio/sso/add-claim-dialog-for-group-filters.png" />
    </Frame>
  </Step>

  <Step>
    Now you can assign users/groups to the application, and those users will be able to log into Cosmo using the URL provided on setting up the provider.
  </Step>
</Steps>

<Info>
  Please make sure that the users added to the application have a username.
</Info>
