Documentation Hub
Workforce
Workforce
  • Keyless Integrations Docs
  • ✅Prerequisites
  • IAM and SSO Integrations
    • Overview
    • Okta
      • Account Linking Config
      • Identity Provider Config
    • Microsoft AD FS
      • Prerequisites
      • Integration
      • Authentication
      • Troubleshooting
    • AWS Cognito
    • Auth0
    • ForgeRock
      • ForgeRock Authentication Node
      • Forgerock Identity Cloud
    • OneLogin
    • Ping Identity
      • PingOne SSO
    • Microsoft Entra ID
    • Salesforce
  • Post Integration
    • 🏁Post Integration
      • 📢Employee Onboarding
        • Prerequisites
        • Email Templates
      • 🎧Admin Onboarding
        • Common Terms
        • Enrollment and Activation
        • Authentication
        • Troubleshooting and Support
Powered by GitBook
On this page

Was this helpful?

  1. IAM and SSO Integrations
  2. Okta

Identity Provider Config

The OpenID Connect IdP configuration allows enrolled users to authenticate with Keyless to get access to their Okta portal or Okta enabled apps.

Last updated 7 months ago

Was this helpful?

  1. In your Admin dashboard, go to "Security" on the top menu and click "Identity Providers":

  2. Click "Add Identity Provider" and select "Add OpenID Connect IdP"

  3. Configure the following settings:

    • General Settings

      Field
      Value

      Name

      "Keyless"

      Client ID

      an ID of your choice, which will need to be provided to Keyless

      Client Secret

      an ID of your choice, which will need to be provided to Keyless

      Scopes

      email, openid, profile

    • Endpoints, supplied to you by Keyless.

      Field
      Value

      Issuer

      issuer

      Authentication Endpoint

      authorization_endpoint

      Token Endpoint

      token_endpoint

      JWKS Endpoint

      jwks-uri

      User Info Endpoint

      userinfo_endpoint

    • Advanced Settings

      Field
      Value

      IdP Username

      idpuser.externalId

      Match Against

      Okta Username

      Account Link Policy

      Automatic

      Auto-Link Restrictions

      None

      If no match is found

      Create New User (JIT)

      Profile Source

      check

      Group Assignments

      None

    If you don’t want to assign through JIT (Just in Time) provisioning to a specific group, select the option “Redirect to sign-in page” under If no match found. This will block the use of the Keyless authentication as a profile master, letting Okta account system manage user’s subscription to the org.

  4. Click Update Identity Provider. On the Identity providers page, expand its information view,and take note of the IdP ID and Redirect URI.

  5. Provide Keyless with the following through a secure channel:

    • Client ID and Secret of Account Linking App.

    • Client ID and Secret of Identity Provider.

    • IdP number and redirect URI of the Identity Provider.

  6. Under "Identity Providers" go to "Routing Rules" to configure which users and groups will have access to the Keyless Identity Provider and will use Keyless as their authentication method.

Make sure that the Keyless Account Linking application is configured to use the default Okta identity provider (as the first rule) so that users will be able to link their account properly.

🏁Post Integration