# Okta configuration

For Okta, we strongly recommend that you use the Okta PKCE authorization flow.

To enable Okta as your SSO provider for Tonic Textual, you first complete the following configuration steps within Okta:

1. Create a new application. Choose the **OIDC - OpenId Connect** method with the **Single-Page Application** option.

<figure><img src="/files/xDcUpkOkcnOTaViam9Sj" alt=""><figcaption><p>Create a new app integration</p></figcaption></figure>

2. Click **Next**, then fill out the fields with the values below:
   * **App integration name:** The name to use for the Textual application. For example, Textual, Textual-Prod, Textual-Dev.
   * **Grant type:** To use the recommended Okta PKCE authorization flow, under **Core Grant**s, check **Authorization Code** and **Refresh Token**.\
     \
     To instead use the legacy implicit authorization flow, expand **Advanced**, then under **Other grants**, check **Implicit (Hybrid)**.
   * **Sign-in redirect URIs:** For self-hosted instances,  `<base-url>/sso/callback/okta`.\
     \
     For Textual Cloud, on the **Permission Settings** page, the sign-in redirect URL is displayed on the **Single Sign-On** tab. Copy the value from there and paste it into the field.
   * **Base URIs:** The URL to your Textual instance.
   * **Controlled access:** Configure as needed to limit Textual access to the appropriate users.

<figure><img src="/files/3cePeZBuhmhu8YKmVAAE" alt=""><figcaption><p>App integration settings</p></figcaption></figure>

3. After saving the above, navigate to the **General Settings** page for the application and make the following changes:
   * **Grant type:** If you are using the recommended Okta PKCE authorization flow, check **Authorization Code** and **Refresh Token**.\
     \
     To instead use the implicit authorization flow, check **Implicit (Hybrid)** and **Allow ID Token with implicit grant type**.
   * **Login initiated by:** **Either Okta or App**
   * **Application visibility:** Check **Display application icon to users**
   * **Initiate login URI:** `<base-url>`

<figure><img src="/files/OjVimVEKJ1Bg5SkdSWro" alt=""><figcaption><p>Application settings</p></figcaption></figure>

<figure><img src="/files/1opPudYXpRhYUoUiR3du" alt=""><figcaption><p>Login settings</p></figcaption></figure>

4. Make a note of the following values that must be provided to Textual:
   * Client ID of the application:

     ![](/files/XbH2x3ygABm1ZbTpD4vk)
   * Your Okta domain (for example, `tonic.okta.com`)
   * If you created a custom authorization server for Textual, the server ID:

     ![](/files/qnaqn0jrT5pOevfE8Xok)
   * IdP ID (If you use an outside identity provider):

     ![](/files/RPnTkd2IKJU8IOi9QMto)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.tonic.ai/textual/textual-install-administer/user-access-textual/textual-sso/textual-sso-okta/okta-configuration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.