# Okta SSO (OIDC) ### Overview Sumble supports Single Sign-On (SSO) via Okta, allowing your team to log in to Sumble using their existing Okta credentials. Once configured, users can authenticate through Okta instead of using email-based login methods. Optionally, SSO can be enforced so that all users on your domain must log in through Okta, blocking Google OAuth and Magic Link authentication. *** ### Prerequisites * Access to the Okta Admin Console * An Okta plan that supports OIDC (OpenID Connect) applications *** ### Step 1: Create the Okta Application 1. In Okta Admin Console, go to **Applications** > **Create App Integration** 2. Select **OIDC - OpenID Connect** and **Web Application** 3. Set the **Sign-in redirect URI** to: `https://sumble.com/account/login/okta/callback` 4. Under **Assignments**, assign the users or groups who should have access to Sumble 5. Complete the setup and copy the **Client ID** and **Client Secret** 6. Find your **Issuer URL**: Go to **Security** > **API** > **Authorization Servers**, select your server (usually "default"), and copy the Issuer URI (e.g., `https://your-org.okta.com/oauth2/default`) *** ### Step 2: Configure the Access Policy Ensure the authorization server has an Access Policy that allows your Sumble application: 1. Go to **Security** > **API** > **Authorization Servers** > \[your server] > **Access Policies** 2. Either add your Sumble app to an existing policy, or create a new policy 3. The policy must allow the following scopes: `openid`, `email`, `profile` *** ### Step 3: Share Credentials with Sumble Share the following with your Sumble Customer Success Manager: * **Client ID** * **Client Secret** * **Issuer URL** (from Security > API > Authorization Servers) > The Issuer URL must come from **Security > API > Authorization Servers**, not just your Okta domain. For example, `https://your-org.okta.com/oauth2/default` rather than `https://your-org.okta.com`. Your Sumble Customer Success Manager will configure SSO on your account and confirm when it's ready to test. *** ### Step 4: Add Sumble to Your Okta Dashboard (Optional) After SSO is configured by Sumble, you can allow users to launch Sumble directly from their Okta app dashboard: 1. In Okta Admin Console, go to the Sumble application settings 2. Under **General** > **Login**, set: * **Login initiated by**: Either Okta or App * **Initiate login URI**: Your Sumble Customer Success Manager will provide this URL after setup 3. Save the settings 4. Users will now see Sumble in their Okta app dashboard *** ### SSO Enforcement (Optional) Once SSO has been successfully tested (at least one user must log in via Okta), you can optionally request that SSO be enforced for your organization. When enforcement is enabled: * Google OAuth login is blocked for users on your domain and will redirect them to Okta * Magic Link login is blocked for users on your domain * All users must authenticate through Okta To enable or disable SSO enforcement, contact your Sumble Customer Success Manager. Book a time to chat with us