Okta is one of the most common dedicated identity providers. Setup is ~10 minutes via the Okta Admin Console.
Before you start
- Admin access in your Okta org (you need to create OIDC applications).
- Admin access in JAMS IMES.
- The JAMS IMES Redirect URI from your /integrations/sso page β keep this tab open.
Step 1 β Create the OIDC application
- Sign in to your Okta Admin Console (URL looks like
https://<yourorg>-admin.okta.com). - Left sidebar β Applications β Applications β Create App Integration.
- Pick:
- Sign-in method: OIDC β OpenID Connect
- Application type: Web Application
- Click Next.
Step 2 β Configure the application
Fill in:
| Field | Value |
|---|---|
| App integration name | JAMS IMES (or whatever β users won't see this) |
| Grant type | Check Authorization Code. Uncheck everything else. |
| Sign-in redirect URIs | Paste the URL from JAMS IMES's /integrations/sso page (looks like https://notiphone-.../auth/sso/callback) |
| Sign-out redirect URIs | Optional. You can paste your JAMS IMES frontend root URL (e.g. https://notiphone-web-.../login). |
| Controlled access / Assignments | Pick Skip group assignment for now if you want to assign users later, or Allow everyone in your organization to access if your whole Okta org should be able to sign in to JAMS IMES. |
Click Save.
Step 3 β Capture the credentials
After save, you land on the app's General tab. Note these values:
- Client ID β long alphanumeric string. Goes into JAMS IMES's Client ID field.
- Client Secret β click Show or Copy under the Client Secret field. Stash this in a password manager.
For the Issuer URL in JAMS IMES, you need your Okta org's base URL. Two options:
- Default authorization server:
https://<yourorg>.okta.com/oauth2/default - Custom authorization server: if you've set one up, use its issuer URL from Security β API β Authorization Servers.
Most teams use the default authorization server. If unsure, use that.
Tip: copy the issuer URL straight from Okta. Go to Security β API β Authorization Servers, click your authorization server (usually called "default"), and copy the Issuer URI field exactly as shown.
Step 4 β Assign users to the application
Even if you picked "allow everyone" in Step 2, double-check that the user you'll test with has access:
- Open the JAMS IMES app in Okta β Assignments tab.
- Confirm the test user (or a group they belong to) is listed.
- If not, click Assign β Assign to People or Assign to Groups and add them.
Users without an assignment can authenticate to Okta but Okta won't let them through to JAMS IMES β they'll see "Access denied" before the redirect back.
Step 5 β Configure JAMS IMES
Open JAMS IMES β /integrations/sso. Fill in:
| Field | Value |
|---|---|
| Configuration name | Okta (this is the label on the login button) |
| Issuer URL | https://<yourorg>.okta.com/oauth2/default (or your custom server's issuer URI) |
| Client ID | from Step 3 |
| Client Secret | from Step 3 |
| Scopes | leave default openid profile email |
| Claim mappings | leave defaults β Okta uses the standard names |
| Enforce SSO | leave OFF for first test |
Click Save Configuration.
Step 6 β Test the flow
- Open an incognito window.
- Go to
/loginβ enter the email of a JAMS IMES User that's also an Okta-assigned user. - Click Continue β you should see Continue with Okta.
- Click it β Okta sign-in page β authenticate.
- Should land on JAMS IMES dashboard signed in.
Step 7 β (Optional) Enforce SSO
Once you've confirmed SSO works for at least one admin, you can flip Enforce SSO on. See the SSO overview for what this changes and the safety check before doing it.
Common Okta-specific gotchas
| Problem | Cause | Fix |
|---|---|---|
sso_idp_rejected | Sign-in redirect URI doesn't match | Most common issue. Check Okta's URI matches JAMS IMES's redirect URI EXACTLY (including https, trailing slash). |
User authenticates but user_not_provisioned | Email in Okta differs from email in JAMS IMES | Check both β case is fine, but a typo or alias won't work. |
| Sign-in succeeds in Okta but never returns | Okta's "Sign-on Policy" requires MFA you don't have set up | Either set up MFA in Okta, or relax the policy for this app (Admin β Security β Authentication β Sign-on Policy). |
Issuer URL field says it's invalid in JAMS IMES | Probably has /.well-known/openid-configuration appended | Strip that β JAMS IMES adds it automatically. The issuer is https://<org>.okta.com/oauth2/default, not .../oauth2/default/.well-known/openid-configuration. |
What's next
- Inviting Users into JAMS IMES (they need to exist before SSO works β no JIT)
- SSO overview for the error-code reference table