Configuring an Okta Application for Auth0 Enterprise Connection

Environment: Production Purpose: Configure Okta as an OpenID Connect (OIDC) Identity Provider for Auth0

Auth0 Callback URI: https://auth.npi-digital.com/login/callback

Auth0 Sign-out Redirect URI: https://auth.npi-digital.com/logout

1. Prerequisites

Before starting, verify:

• You have Admin access to your Okta tenant.

• You know your Auth0 production URLs:

  • Callback: https://auth.npi-digital.com/login/callback
  • Sign-out redirect: https://auth.npi-digital.com/logout
• This integration will use OIDC (OpenID Connect), not SAML.

2. Create the Okta Application

1. Log into your Okta Admin Console.
2. Navigate to: Applications → Applications
3. Click Create App Integration.

4. When prompted:

   • Sign-in method: Select OIDC – OpenID Connect
   • Application type: Select Web Application
   • Click Next

3. Configure Application Settings

3.1 General Settings

Fill in the following:

• App Integration Name: Example: Auth0 Enterprise SSO - Prod

• (Optional) Add a description like: “Enterprise Single Sign-On app used by Auth0 for NPI Digital production environment.”

3.2 Sign-in Redirect URI (Callback URI)

In the Sign-in redirect URIs field, add:

https://auth.npi-digital.com/login/callback

This is where Okta sends the user after successful authentication.

⚠️ This must match exactly what’s configured in Auth0.

3.3 Sign-out Redirect URI

In the Sign-out redirect URIs field, add:

https://auth.npi-digital.com/logout

This is where users will be redirected after logging out via Auth0.

3.4 Assignments

Choose how users will be allowed to authenticate:

• Option 1 (common for production): Limit to selected groups
• Option 2: Allow everyone in your organization to access

Select based on your organization’s security policy.

3.5 Grants (Scopes)

Ensure at minimum these OpenID scopes are allowed:

• openid
• profile
• email

These are necessary for identity and user data mapping in Auth0.

4. Saving and Collecting Required Values

After clicking Save, go to the application’s General tab and collect the following values:

4.1 Okta Domain

Your Okta domain will look like one of these:

• https://yourcompany.okta.com
• https://yourcompany.oktapreview.com
• Or a custom domain like https://login.yourcompany.com

You will provide this to your Auth0 administrator.

4.2 Client Credentials

Navigate to the Client Credentials section of your application and copy:

• ✅ Client ID
• ✅ Client Secret

These are required in Auth0 to complete the enterprise connection.

Store these securely.

5. Token Configuration (Optional but Recommended)

To ensure proper claims are passed to Auth0, verify:

1. Go to Security → API → Authorization Servers → Default

2. Check that:

   • email
   • name
   • preferred_username
   • (Optional) group attributes are included in tokens

If you need groups in Auth0:

• Add a custom claim that includes group membership.

6. Test Users or Group Assignment

Confirm test users or user groups are assigned to this application:

1. Go to the app’s Assignments tab.
2. Assign test users or test groups.
3. Save changes.

This ensures those users can authenticate during testing.

7. Final Deliverables for the Auth0 Team

Once complete, provide the following to your Auth0 administrator:

8. Common Errors to Avoid

9. Quick Checklist

• [ ] Created OIDC Web App in Okta
• [ ] Callback URL configured
• [ ] Logout redirect URL configured
• [ ] App assigned to correct users/groups
• [ ] Client ID & Secret copied
• [ ] Okta domain confirmed
• [ ] Token scopes and claims verified