SSO Setup: Okta

Okta is one of the most common dedicated identity providers. Setup is ~10 minutes via the Okta Admin Console.

Before you start

  • Admin access in your Okta org (you need to create OIDC applications).
  • Admin access in JAMS IMES.
  • The JAMS IMES Redirect URI from your /integrations/sso page β€” keep this tab open.

Step 1 β€” Create the OIDC application

  1. Sign in to your Okta Admin Console (URL looks like https://<yourorg>-admin.okta.com).
  2. Left sidebar β†’ Applications β†’ Applications β†’ Create App Integration.
  3. Pick:
    • Sign-in method: OIDC – OpenID Connect
    • Application type: Web Application
  4. Click Next.

Step 2 β€” Configure the application

Fill in:

FieldValue
App integration nameJAMS IMES (or whatever β€” users won't see this)
Grant typeCheck Authorization Code. Uncheck everything else.
Sign-in redirect URIsPaste the URL from JAMS IMES's /integrations/sso page (looks like https://notiphone-.../auth/sso/callback)
Sign-out redirect URIsOptional. You can paste your JAMS IMES frontend root URL (e.g. https://notiphone-web-.../login).
Controlled access / AssignmentsPick Skip group assignment for now if you want to assign users later, or Allow everyone in your organization to access if your whole Okta org should be able to sign in to JAMS IMES.

Click Save.

Step 3 β€” Capture the credentials

After save, you land on the app's General tab. Note these values:

  • Client ID β€” long alphanumeric string. Goes into JAMS IMES's Client ID field.
  • Client Secret β€” click Show or Copy under the Client Secret field. Stash this in a password manager.

For the Issuer URL in JAMS IMES, you need your Okta org's base URL. Two options:

  • Default authorization server: https://<yourorg>.okta.com/oauth2/default
  • Custom authorization server: if you've set one up, use its issuer URL from Security β†’ API β†’ Authorization Servers.

Most teams use the default authorization server. If unsure, use that.

Tip: copy the issuer URL straight from Okta. Go to Security β†’ API β†’ Authorization Servers, click your authorization server (usually called "default"), and copy the Issuer URI field exactly as shown.

Step 4 β€” Assign users to the application

Even if you picked "allow everyone" in Step 2, double-check that the user you'll test with has access:

  1. Open the JAMS IMES app in Okta β†’ Assignments tab.
  2. Confirm the test user (or a group they belong to) is listed.
  3. If not, click Assign β†’ Assign to People or Assign to Groups and add them.

Users without an assignment can authenticate to Okta but Okta won't let them through to JAMS IMES β€” they'll see "Access denied" before the redirect back.

Step 5 β€” Configure JAMS IMES

Open JAMS IMES β†’ /integrations/sso. Fill in:

FieldValue
Configuration nameOkta (this is the label on the login button)
Issuer URLhttps://<yourorg>.okta.com/oauth2/default (or your custom server's issuer URI)
Client IDfrom Step 3
Client Secretfrom Step 3
Scopesleave default openid profile email
Claim mappingsleave defaults β€” Okta uses the standard names
Enforce SSOleave OFF for first test

Click Save Configuration.

Step 6 β€” Test the flow

  1. Open an incognito window.
  2. Go to /login β†’ enter the email of a JAMS IMES User that's also an Okta-assigned user.
  3. Click Continue β†’ you should see Continue with Okta.
  4. Click it β†’ Okta sign-in page β†’ authenticate.
  5. Should land on JAMS IMES dashboard signed in.

Step 7 β€” (Optional) Enforce SSO

Once you've confirmed SSO works for at least one admin, you can flip Enforce SSO on. See the SSO overview for what this changes and the safety check before doing it.

Common Okta-specific gotchas

ProblemCauseFix
sso_idp_rejectedSign-in redirect URI doesn't matchMost common issue. Check Okta's URI matches JAMS IMES's redirect URI EXACTLY (including https, trailing slash).
User authenticates but user_not_provisionedEmail in Okta differs from email in JAMS IMESCheck both β€” case is fine, but a typo or alias won't work.
Sign-in succeeds in Okta but never returnsOkta's "Sign-on Policy" requires MFA you don't have set upEither set up MFA in Okta, or relax the policy for this app (Admin β†’ Security β†’ Authentication β†’ Sign-on Policy).
Issuer URL field says it's invalid in JAMS IMESProbably has /.well-known/openid-configuration appendedStrip that β€” JAMS IMES adds it automatically. The issuer is https://<org>.okta.com/oauth2/default, not .../oauth2/default/.well-known/openid-configuration.

What's next

  • Inviting Users into JAMS IMES (they need to exist before SSO works β€” no JIT)
  • SSO overview for the error-code reference table