# Okta

## Prerequisites

Ensure you have the access to the following:

* An active Open Loyalty instance.
* Administrator access to your Okta tenant.
* Basic understanding of OIDC and SSO concepts.

## Step-by-Step Configuration

### Verify Settings in Open Loyalty

{% stepper %}
{% step %}

#### Verify Admin Email Addresses

Ensure that the email address you want to use for SSO login does not already exist in the Open Loyalty portal.

{% hint style="danger" %}
If an email address for the admin already exists in Open Loyalty, the SSO login will not function for that account. To enable SSO for a user, ensure there are no conflicts. 

For instance, you could deactivate admin users logging in with email and password, update their email addresses by adding a suffix (e.g., "-old"), and then ask the admin users to log in via SSO.
{% endhint %}
{% endstep %}

{% step %}

#### Configure the Default Role

1. Log in to the Open Loyalty admin panel.
2. Go to **Settings** > **Roles**.
3. Choose the role you want to set as a default role. Click on **Edit**.
4. Set a **Default Role** for new users logging in through SSO. This role will be assigned to newly created users and can be changed later if needed.

<figure><img src="https://123136216-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FgIv2CyIIYf7vRfuhMKQ6%2Fuploads%2F457yU5IYhDwkgODc1cS9%2Fimage.png?alt=media&#x26;token=35567864-74ce-4aeb-bf72-fd31129332bd" alt=""><figcaption></figcaption></figure>
{% endstep %}
{% endstepper %}

### Configure OKTA

{% stepper %}
{% step %}

#### **Sign in to Okta Admin Console**

Navigate to `https://your-domain.okta.com` and log in with an administrator account.
{% endstep %}

{% step %}

#### **Create a New Application Integration**

* In the Admin Console, go to **Applications** > **Applications**.
* Click **Create App Integration**.
* Choose:
  * **Sign-in method**: `OIDC - OpenID Connect`
  * **Application type**: `Single-Page Application`
* Click **Next**.
  {% endstep %}

{% step %}

#### **Configure the Application**

* **App integration name**: (e.g. Open Loyalty)
* **Sign-in redirect URIs**:
  * [`https://your-production-domain.com/login/callback`](https://your-production-domain.com/login/callback) *(or your production redirect URI)*
* **Sign-out redirect URIs** (optional):
  * `https://your-production-domain.com`
* **Assign Users to the Application**
  * In the **Assignments** tab of the application, click **Assign**.
  * Choose **Assign to People** or **Assign to Groups**.
  * Select the users or groups who should have access to the application.
* Click **Save**.
  {% endstep %}
  {% endstepper %}

### Share Details with Open Loyalty

{% stepper %}
{% step %}

#### Share SSO Details with Open Loyalty

* Provide the Open Loyalty team with the following details:
  * **Client ID**
  * **Sign-in redirect URIs**
  * **Sign-out redirect URIs**
* The Open Loyalty team will enable SSO using the provided details.
  {% endstep %}

{% step %}

#### Test the Integration

1. Use the **Continue with OIDC** button on the login page.
2. Authenticate with OIDC using a user account.
3. Verify that the user is successfully logged in and has been assigned the default role.

<figure><img src="https://123136216-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FgIv2CyIIYf7vRfuhMKQ6%2Fuploads%2FvxOqDI90ofHNUVr3tdnD%2Fimage.png?alt=media&#x26;token=dce209fd-f0c2-42ad-bc0c-6bc11cf9ed10" alt=""><figcaption></figcaption></figure>
{% endstep %}
{% endstepper %}

## Notes

* Ensure that the **Default Role** is configured appropriately to avoid granting unintended permissions to new users.
* If an email address already exists in Open Loyalty, the SSO login will not work for that account. Ensure there are no conflicts before enabling SSO for a user.

## Troubleshooting

* If login fails, double-check the URL and Client ID configuration.
* Ensure the callback URL is correctly set in Okta.
* Verify that the Okta application has been configured to allow the Open Loyalty URL.