Documentation Index

Fetch the complete documentation index at: https://docs.fortifiedwisdom.com/llms.txt

Use this file to discover all available pages before exploring further.

Okta SSO Setup

Prev Next

Setting up Okta as your identity provider for WISdom SSO requires configuration in both Okta and WISdom. The Okta side involves creating an OIDC-compliant application, configuring trust settings, and collecting endpoint values. The WISdom side involves entering those values into the SSO configuration wizard.

WISdom supports two authentication flows: Authorization Code and Authorization Code with PKCE (Proof Key for Code Exchange). The flow you choose affects how you configure the Okta application and which fields are required in WISdom.

For detailed steps within Okta, refer to Okta's documentation for your selected flow: Authorization Code or Authorization Code with PKCE.

Setup Sequence

  1. Create a new Okta application for WISdom
  2. Configure the token issuer
  3. Configure trusted origins
  4. Retrieve endpoint values
  5. Configure SSO in WISdom

Step 1 — Create a New Okta Application

The application type and credential requirements differ depending on which flow you are using.

  1. Log in to the Okta Admin Console.
  2. In the left navigation menu, select Applications › Applications.
  3. Select Create App Integration.
  4. For Sign-in Method, select OIDC - OpenID Connect.
  5. For Application Type, select based on your flow:
    • Authorization Code — select Web Application
    • PKCE — select Single-Page Application
  6. Select Next.
  7. Enter a name for the application. We recommend WISdom or Fortified WISdom.
  8. Under Grant Type, confirm Authorization Code is selected.
PKCE

Enable Require PKCE as additional verification (DPoP). This option is required for the PKCE flow.

  1. Under Sign-in redirect URIs, add both of the following:
    • https://app.fortifiedwisdom.com/bff/v1/oauth/oidc-callback
    • https://app.fortifiedwisdom.com/login
  2. Under Sign-out redirect URIs, add:
    • https://app.fortifiedwisdom.com/logout
  3. Under Assignments, assign the group that will access WISdom, or leave Everyone as the default.
WISdom Access

Users must have an account configured in WISdom to log in, regardless of group assignment in Okta.

  1. Select Save.

Collect Client Credentials

After saving, Okta displays the application's General tab. Copy and save the following:

  • Client ID — required for both flows
  • Client Secret — required for Authorization Code only; PKCE does not generate a client secret

Step 2 — Configure Static Token Issuer

WISdom requires a static token issuer URL to validate SSO tokens. By default, Okta may be set to use a dynamic issuer.

  1. In the Okta Admin Console, go to Security › API.
  2. Select your authorization server.
  3. Under Settings, set the Issuer to use the Org URL (static) rather than a dynamic value.
  4. Save the change.

Step 3 — Configure Trusted Origins

WISdom must be added as a trusted origin in Okta to allow CORS and redirect behavior.

  1. In the Okta Admin Console, go to Security › API.
  2. Select the Trusted Origins tab.
  3. Select Add Origin.
  4. Enter a name. We recommend WISdom or Fortified WISdom.
  5. Enter the WISdom URL: https://app.fortifiedwisdom.com
  6. Under Choose Type, select both CORS and Redirect.
  7. Select Save.

Step 4 — Retrieve Endpoint Values

Navigate to your Okta OpenID Connect metadata document using your account's domain:

https://[YOUR-OKTA-DOMAIN]/.well-known/openid-configuration

From the JSON output, copy the following values:

Field in WISdom Metadata document key
Authentication URL authorization_endpoint
Token URL token_endpoint
Public Key URL jwks_uri
Token Issuer issuer

Step 5 — Configure SSO in WISdom

  1. Go to Admin Console › Integration › Integrations.
  2. Under Available Apps, select SSO.
  3. In the Connect SSO dialog, select either the Authorization Code or PKCE tab depending on the flow you are using.
  4. Complete the fields on the first page:
Field Required Value
Name Yes A display name for this SSO configuration
Issuer Yes issuer value from the metadata document
Audience No The aud value from your JWT, if required by your organization
Authentication Client ID Yes Client ID from the Okta application General tab
Authentication Client Secret Authorization Code only Client Secret from the Okta application General tab
PKCE

The Authentication Client Secret field is not shown when PKCE is selected. Okta does not generate a client secret for Single-Page Application integrations.

  1. Select Continue.
  2. Complete the fields on the second page:
Field Required Value
Authentication Endpoint Yes authorization_endpoint from the metadata document
Token Endpoint Yes token_endpoint from the metadata document
Public Key Endpoint Yes jwks_uri from the metadata document
Logout Endpoint No Your organization's logout URL, if applicable
  1. Select Test connection to validate the configuration.
  2. If the test succeeds, select Save.
Important:

Saving the configuration immediately changes all users to use the configured SSO upon their next login. If there are accounts that should not be configured to use SSO, a ticket will need to be created with the WISdom support team so they can be reverted to utilize the Auth0 authentication. Send the support request with the account names to: WISdomSupport@Fortified.com.

Related Topics