Okta with OpenID SSO

  • Published on Jun 19, 2026
  • 6 minute(s) read
Prev Next

Okta is an Identity Provider (IdP) that manages user access across multiple applications from a single platform. With OpenID Connect SSO configured between Okta and Document360, your users and readers can sign in to Document360 using their existing Okta credentials.

NOTE

Only users with the Owner or Admin project role can configure SSO in Document360.

What you can do with Okta as your IdP

Capability Supported
User (portal) authentication Yes
Reader (knowledge base site) authentication Yes
SCIM user provisioning Yes
SCIM reader provisioning Yes
SCIM group sync Yes
SSO configuration inheritance (parent-child projects) Yes

NOTE

When using Okta with OpenID Connect, SCIM provisioning requires a separate OAuth Bearer Token app from the Okta app catalog. Unlike the SAML setup, SCIM cannot be enabled within the same OIDC application.

Before you begin

  • You have an active Okta account with administrator access. If you need to create one, sign up at developer.okta.com/signup.
  • You have Owner or Admin access in your Document360 project.
  • Open Document360 and Okta in two separate browser tabs. You will need to switch between them multiple times during setup.

Step 1: Create an OpenID Connect application in Okta

  1. Log in to your Okta account and click Admin in the top right corner to switch to the admin console.
  2. In the left navigation, expand Applications and click Applications.
  3. Click Create App Integration.
  4. Select OIDC - OpenID Connect as the sign-in method.
  5. Choose Web Application as the application type and click Next.
  6. On the New Web App Integration page, enter a name for your application in the App integration name field.
Creating an OIDC web application integration in Okta.

Step 2: Get the SP parameters from Document360

  1. Open Document360 in a separate tab.
  2. Navigate to Settings () > Users & permissions > SSO Configuration.
  3. Click Create SSO.
SSO configuration settings for users and permissions in Document360.
  1. Select Okta as your identity provider to navigate to the Configure the Service Provider (SP) page automatically.
Select an Identity Provider for Single Sign-On configuration, highlighting Okta option.
  1. On the Configure the Service Provider (SP) page, select the OpenID radio button.
  2. A set of parameters will be displayed.
Configuration settings for OpenID in the Okta application setup process.

Step 3: Enter the Document360 parameters in Okta

  1. Switch to the Okta tab on the New Web App Integration page.
  2. Enter the Document360 parameters using the mapping below.
Document360 Okta
Sign-in redirect URIs Sign in redirect URI
Sign-out redirect URIs Sign out redirect URI
Okta Admin Console displaying sign-in and sign-out redirect URIs for user authentication.
  1. Scroll down to Assignments and select the desired Controlled access option.
Options for app access control and immediate access settings in the application interface.
  1. Click Save. You will be redirected to the application's General page.

Step 4: Configure the Identity Provider in Document360

  1. Return to Document360 on the Configure the Service Provider (SP) page and click Next to navigate to the Configure the Identity Provider (IdP) page.
Configure the Identity Provider page for OpenID Connect in Document360.
  1. Enter the corresponding values from your Okta application using the mapping below.
Okta Document360
Client ID Client ID
Client Secret Client Secret
Issuer URI Authority

NOTE

To find the Issuer URI in Okta, navigate to Security > API.

  1. In the Scope (optional) field, type a scope value and click + to add it as a chip. This defines what user information or permissions Document360 requests from Okta. You can add up to 3 scopes.
  2. Ensure the Client ID and Client Secret match the values generated in Okta.
Okta Admin Console displaying client credentials and authentication options for applications.
  1. Click Next to proceed to the SCIM provisioning page.

Step 5: Configure SCIM provisioning

SCIM provisioning automates user and reader lifecycle management between Okta and Document360. When using OpenID Connect, SCIM requires a separate OAuth Bearer Token app in the Okta catalog. It cannot be enabled within the same OIDC application.

If you do not need SCIM provisioning, skip to Step 6: Configure SSO name and login options.

Enable SCIM in Document360

  1. Turn on the Enable SCIM provisioning toggle.
  2. A confirmation dialog appears. Review the terms and click Agree.
  3. The parameters required to complete the SCIM configuration in Okta will then be displayed.
Configuration settings for SCIM provisioning and identity provider setup in Document360.

Add the SCIM OAuth Bearer Token app in Okta

  1. In Okta, expand Applications in the left navigation and click Applications.
  2. Click Browse App Catalog and search for SCIM 2.0 (OAuth Bearer Token), then select See all results.
Okta Admin Console displaying applications with options to create and browse app integrations.
  1. From the search results, select (OAuth Bearer Token) Governance with SCIM 2.0 and click Add Integration.
Okta Admin Console displaying OAuth Bearer Token integration options with SCIM 2.0.

NOTE

Make sure to select the correct app. Do not select the Test app version.

  1. In the General Settings page, you can change the Application label if needed and click Next.
Okta Admin Console showing application settings and OAuth Bearer Token information.
  1. Click Done on the Sign-On options page.

NOTE

No configuration is needed on the Sign-On options page. This app is created only for SCIM provisioning — the OpenID SSO configuration was already completed in the previous steps.

Configure the SCIM API connection in Okta

  1. In the SCIM app, navigate to the Provisioning tab and select Configure API Integration.
  2. Select the Enable API Integration checkbox. A set of fields will be displayed.
  3. Enter the Document360 parameters using the mapping below.
Document360 Okta
SCIM Base URL Base URL
Primary secret token OAuth Bearer Token
Okta Admin Console displaying OAuth Bearer Token verification and API integration options.

NOTE

Do not click Test Connector Configuration yet. At this stage, SCIM provisioning will not work with Document360 because the SSO configuration is not yet completed in Document360.

  1. Once done, navigate back to Document360 to complete the configuration.

Assign default role and groups in Document360

  1. Turn on the Enable group sync toggle if needed.
  2. In the Default role field, the role is set to Contributor by default. You can change this from the dropdown if needed.
  3. In the User groups and Reader groups fields, select the groups you want to add. Multiple groups can be added, and they will inherit the default role you selected earlier.
  4. Click Next to navigate to the More settings page.

Step 6: Configure SSO name and login options

  1. In the SSO name field, enter a name for the SSO configuration.
  2. In Customize login button, enter the text for the login button displayed to users.
  3. Auto assign reader group — this option is only available for existing SSO configurations. For newly created SSO configurations, this toggle will not be displayed as SCIM automatically provisions users and groups. Learn more about Auto assign reader group.
  4. Enable Sign out idle SSO user if needed, and toggle based on your requirements.
  5. Choose whether to invite existing user and reader accounts to SSO.
Settings for creating a new SSO with OpenID Okta configuration options displayed.
  1. Click Create to complete the OpenID SSO configuration.

Step 7: Complete SCIM integration in Okta

  1. Navigate back to the Okta SCIM app.
  2. Click Test API Credentials. A success message will appear confirming the SCIM app is integrated successfully.
Okta Admin Console displaying successful OAuth Bearer Token verification.
  1. Click Save.
  2. Go to the Provisioning tab, select To App, and click Edit on the Provisioning to App section.
  3. Select only the following supported actions:
    • Create Users
    • Update User Attributes
    • Deactivate Users
Okta Admin Console showing provisioning settings for SCIM 2.0 application integration.
  1. Click Save.

SCIM provisioning with Okta OpenID Connect is now configured successfully.

The SSO configuration based on the OpenID protocol has been configured using Okta successfully.

NOTE

For more details on managing users, readers, and groups, see Managing users and readers with SCIM in Okta.

Best practices

  • Use a separate SCIM app for provisioning. When using OpenID Connect with Okta, SCIM requires its own OAuth Bearer Token app from the Okta catalog. Do not attempt to enable SCIM within the OIDC app.
  • Select the correct SCIM app. Search for (OAuth Bearer Token) Governance with SCIM 2.0 specifically. Do not select the Test app version.
  • Complete the Document360 SSO configuration before testing SCIM. Clicking Test Connector Configuration before saving the Document360 configuration will fail. Always save the Document360 configuration first, then return to Okta to test.
  • Select only the three supported provisioning actions. Enabling unsupported actions may cause provisioning errors. Limit selection to Create Users, Update User Attributes, and Deactivate Users.

FAQ

Why do I need a separate app for SCIM when using OpenID Connect with Okta?

The OIDC app integration in Okta handles authentication only. It does not support SCIM provisioning natively. A separate OAuth Bearer Token app is needed to establish the SCIM connection between Okta and Document360. This is different from the SAML setup, where SCIM can be enabled within the same Okta application.

Where do I find the Issuer URI in Okta?

In Okta, navigate to Security > API. The Issuer URI is listed there and maps to the Authority field in Document360's IdP configuration page.

What are scopes and do I need to add them?

Scopes define what user information or permissions Document360 requests from Okta during authentication. The Scope field is optional — you can add up to 3 scopes by typing a value and clicking the + button. If you are unsure whether scopes are needed, check with your Okta administrator.

Related articles