> For the complete documentation index, see [llms.txt](https://docs.tonic.ai/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.tonic.ai/fabricate/fabricate-accounts-and-users/managing-account-users/single-sign-on-sso/okta-configuration.md).

# Okta configuration

To use Okta as your Fabricate single sign-on (SSO) provider, you first complete the following configuration in Okta.

## Create the app integration

In the Okta Admin Console:

1. Go to **Applications** -> **Applications**.
2. Click **Create App Integration**.
3. Choose **OIDC - OpenID Connect**.
4. Choose **Web Application**.
5. Click **Next**.

Configure the app integration as follows:

* **App integration name**: `Fabricate SSO`
* **Grant type**: `Authorization Code`
* **Sign-out redirect URIs**:
  * `https://fabricate.tonic.ai/`
* **Assignments**: Assign the users or groups that should be able to sign in to Fabricate.

Fabricate uses the server-side authorization code flow. Do not configure the app as a SPA or a native application.

## Copy Okta values to use in Fabricate

### Issuer URL

The Fabricate SSO configuration includes the Okta OIDC issuer URL.

When you create the URL, use the issuer that matches where you configure the `groups` claim. If the app uses the organization authorization server, but the group claim is configured on a custom authorization server, Fabricate does not receive the claim.

#### Okta organization authorization server

For the Okta org authorization server, use:

```
https://<your-okta-domain>
```

For example:

```
https://example.okta.com
```

#### Custom authorization server

For an Okta custom authorization server, use:

```
https://<your-okta-domain>/oauth2/<authorization-server-id>
```

For example, for Okta's default custom authorization server:

```
https://example.okta.com/oauth2/default
```

### Client ID

The **Client ID** value for the Fabricate SSO configuration is the Okta app integration's **Client ID**.

To obtain the value:

1. Open the app integration.
2. On the **General** tab, find **Client Credentials**.
3. Copy **Client ID**.

### Client secret

The **Client Secret** value for the Fabricate SSO configuration is the Okta app integration's **Client secret**.

To obtain the value:

1. Open the app integration.
2. On the **General** tab, find **Client Credentials**.
3. Copy **Client secret**.

## Required token claims

Fabricate expects standard OIDC email verification from Okta:

* `email`
* `email_verified`

The `email` and `email_verified` claims are normally available when Fabricate requests the `email` scope.

Fabricate requests the following:

```
openid email profile
```

Note that Fabricate does **not** request the Okta `groups` scope. If a customer's Okta group claim only appears when the `groups` scope is requested, then unless Fabricate is updated to request that scope for that account, Fabricate does not receive it.

## Add group names for Fabricate group synchronization

Fabricate can optionally synchronize a user's Fabricate account group memberships with group names that Okta sends when the user signs in. The user is then automatically added to the matching Fabricate account group.

Fabricate matches the values in the `groups` claim to Fabricate group names. The group name match is case-insensitive.

If a group does not already exist in Fabricate, and matches the [group filter](/fabricate/fabricate-accounts-and-users/managing-account-users/single-sign-on-sso/sso-fabricate-config.md#sso-group-filter), then when **Sync groups from SSO** is enabled, Fabricate creates it automatically.

In Okta, you configure a claim that is named:

```
groups
```

The claim value must be an array of group names. For example:

```json
{
  "groups": ["Fabricate Developers", "Analysts"]
}
```

Fabricate reads `groups` from both the ID token and the `UserInfo` response.

To identify the groups to include in the claim, you can use either:

* Okta organization authorization server
* Custom authorization server

### Okta organization authorization server <a href="#groups-okta-org-auth-server" id="groups-okta-org-auth-server"></a>

In the Okta Admin Console:

1. Go to **Applications** -> **Applications**.
2. Open the Fabricate OIDC app integration.
3. Go to the **Sign On** tab.
4. Find the **OpenID Connect ID Token** section.
5. Click **Edit**.
6. For Okta-sourced groups:
   1. In **Group claim type**, select **Filter**.
   2. In **Group claims filter**:
      * **Claim name:** `groups`
      * **Filter:** `Matches regex`
      * **Value:** a restrictive regular expression for the groups that Fabricate should see. For example, `^Fabricate.*`
7. For groups sourced outside of Okta, such as groups from AD or LDAP:
   1. In **Group claim type**, select **Expression**.
   2. In **Group claims filter**:
      * **Claim Name:** `groups`
      * **Value:** an Okta Expression Language group expression to return the group names.
8. Click **Save**.

### Custom authorization server <a href="#groups-custom-auth-server" id="groups-custom-auth-server"></a>

Use this option if you already use a custom Okta authorization server, or when you need more control over claim inclusion.

In the Okta Admin Console:

1. Go to **Security** -> **API**.
2. Open the authorization server that is used as Fabricate's issuer.
3. Go to the **Claims** tab.
4. Click **Add Claim**.
5. Configure:
   * **Name**: `groups`
   * **Include in token type**: **ID Token**
   * **When to include**: **Always**
   * **Value type**: **Groups**
   * **Filter**: **Matches regex**
   * **Value**: A restrictive regular expression to identify the groups that Fabricate should see. For example, `^Fabricate.*`
6. Save the claim.

Using **ID Token** + **Always** is important because Fabricate does not request Okta's `groups` scope. If the claim is configured only to appear when requested by scope, Fabricate might not receive it.

To instead have the claim in `UserInfo`, make sure the claim:

* Is available from the access token/UserInfo path. To do this, configure the claim to set **Include in token type** to **Access Token/User Info**.
* Does not require a scope that Fabricate does not request.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.tonic.ai/fabricate/fabricate-accounts-and-users/managing-account-users/single-sign-on-sso/okta-configuration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.