Skip to main content

Okta SSO Integration

The Infracast Okta integration enables Single Sign-On (SSO) so your users can log into Infracast using their existing Okta credentials. Both SAML 2.0 and OIDC (OpenID Connect) are supported. When SSO is enabled, users are redirected to Okta for authentication and returned to Infracast with an active session.

Prerequisites

  • An Okta tenant with administrator access
  • Infracast tenant admin access
  • Your Infracast instance URL (e.g., https://infracast.example.com)

Option A: SAML 2.0 Configuration

Step 1: Create an Okta SAML Application

  1. Log into the Okta Admin Console

  2. Navigate to Applications → Applications → Create App Integration

  3. Select SAML 2.0Next

  4. General Settings:

    • App name: Infracast
    • App logo: (optional)

  5. Configure SAML:

    • Single sign-on URL: https://infracast.example.com/auth/saml/callback
    • Audience URI (SP Entity ID): https://infracast.example.com/auth/saml/metadata
    • Name ID format: EmailAddress
    • Application username: Email

  6. Attribute Statements: Add the following:

    NameValue
    emailuser.email
    firstNameuser.firstName
    lastNameuser.lastName
    groupsuser.groups (optional, for group-based role mapping)

  7. Click Next → Finish

  8. On the Sign On tab, click View SAML setup instructions and note:

    • Identity Provider Single Sign-On URL
    • Identity Provider Issuer
    • X.509 Certificate (download)

Step 2: Configure Infracast SAML

Navigate to Settings → Integrations → Add Integration → Okta SSO → SAML:

FieldValue
SSO URLOkta Identity Provider Single Sign-On URL
Entity ID (Issuer)Okta Identity Provider Issuer URL
X.509 CertificatePaste the downloaded certificate content
Email Attributeemail
First Name AttributefirstName
Last Name AttributelastName
Groups Attributegroups (optional)

Option B: OIDC Configuration

Step 1: Create an Okta OIDC Application

  1. Log into the Okta Admin Console
  2. Navigate to Applications → Applications → Create App Integration
  3. Select OIDC - OpenID ConnectWeb ApplicationNext
  4. General Settings:
    • App integration name: Infracast
  5. Sign-in redirect URIs: https://infracast.example.com/auth/oidc/callback
  6. Sign-out redirect URIs: https://infracast.example.com/auth/logout
  7. Assignments: Assign the app to the appropriate groups or users
  8. Click Save
  9. Note the Client ID and Client secret from the app's General tab
  10. Note the Okta domain (e.g., yourcompany.okta.com)

Step 2: Configure Infracast OIDC

Navigate to Settings → Integrations → Add Integration → Okta SSO → OIDC:

FieldValue
Issuer URLhttps://yourcompany.okta.com (or https://yourcompany.okta.com/oauth2/default for a custom authorization server)
Client IDOIDC application Client ID
Client SecretOIDC application Client Secret
Scopesopenid profile email groups
Redirect URIhttps://infracast.example.com/auth/oidc/callback

Role Mapping

Infracast roles can be mapped from Okta groups, so users automatically receive the correct Infracast permissions based on their group membership.

Okta GroupInfracast Role
infracast-adminsAdmin
infracast-analystsAnalyst
infracast-viewersViewer

Configure group-to-role mappings in Settings → Integrations → Okta SSO → Role Mappings.

User Provisioning

When a user authenticates via SSO for the first time, Infracast creates their account automatically (Just-In-Time provisioning). The account is assigned the default role configured in Settings → SSO → Default User Role.

note

Infracast does not currently support SCIM-based user provisioning from Okta. Users are created on first login and deprovisioned by disabling or removing them from the Okta application assignment.

Troubleshooting

SAML response validation failed

Symptom: Login redirects to Okta but returns to Infracast with a SAML error

Checks:

  1. Verify the Single sign-on URL in Okta matches exactly: https://infracast.example.com/auth/saml/callback
  2. Verify the Audience URI matches: https://infracast.example.com/auth/saml/metadata
  3. Confirm the X.509 certificate in Infracast is the full certificate including -----BEGIN CERTIFICATE----- headers
  4. Check that system clocks are synchronized — SAML assertions expire after a short window (clock skew > 5 minutes causes failures)

Invalid client (OIDC)

Symptom: OIDC login fails with invalid_client

Checks:

  1. Verify the Client ID and Client Secret are copied correctly (no trailing spaces)
  2. Verify the redirect URI in Okta matches exactly: https://infracast.example.com/auth/oidc/callback
  3. Ensure the app is assigned to the user's groups in Okta

Users can log in but have no access

Symptom: SSO login succeeds but user sees "Access Denied" in Infracast

Cause: No role mapping matched, and the default role may be set to None.

Fix: Configure a default role in Settings → Integrations → Okta SSO → Default User Role, or add the user's Okta group to the role mappings.

Okta app not visible to users

Symptom: The Infracast tile does not appear in users' Okta dashboard

Checks:

  1. Verify the Okta application assignment includes the user's group or individual user
  2. In Okta Admin Console: Applications → [Infracast] → Assignments — confirm users/groups are assigned