»Okta OIDC SSO Configuration
This page explains how to set up SSO in HashiCorp Cloud Platform (HCP) with the Okta identity provider. Refer to SSO Overview for details about how to manage organizations with SSO enabled.
Configure OIDC SSO
Organization owners and admins can set up SSO. To begin configuring SSO:
- Log in to HCP and go to your organization.
- Click Settings and then click SSO. The Single Sign-On page appears.
- Select OIDC SSO.
- Click Configure selected SSO method. The Setup OIDC SSO page appears, where you will enter the required information for Okta.
Verify Your Domain
You need a DNS record (secret value to set as TXT) to prove ownership of a domain. HCP uses the domain to match the email addresses for SSO. You must use different SSO domains for each HCP organization. If you try to reuse a domain name, the DNS connection request will fail.
To verify your domain:
- Copy the verification TXT record from the HCP SSO configuration to the DNS records of any email domains your organization uses.
- Return to the HCP Settings page and add your email address domains.
- Click Verify domains.
NOTE: If the verification is successful, you can continue configuring SSO. If the request fails, your changes to the DNS records may not have propagated yet. It can take up to 72 hours.
OIDC Integration in OKTA
Login to Okta and click Application.
Click the Create App Integration button.
In Sign-in method section select OIDC - OpenID Connect.
In the Application section select Web Application.
In General Settings, fill in the App integration name.
In the Sign-in redirect URIs section, enter your URI.
In the Assignments section, choose the access type needed for your application.
You'll be taken to the web app page. On the General tab, copy the Client ID and Client Secret.
Select the Sign On tab and go to the OpenID Connect ID Token section.
Select your Issuer URL and click Save.
You should have the Client ID, Client Secret, and Issuer URL. Copy these into the HCP portal OIDC configuration page.