Setting up Okta as your identity provider for WISdom SSO requires configuration in both Okta and WISdom. The Okta side involves creating an OIDC-compliant application, configuring trust settings, and collecting endpoint values. The WISdom side involves entering those values into the SSO configuration wizard.
WISdom supports two authentication flows: Authorization Code and Authorization Code with PKCE (Proof Key for Code Exchange). The flow you choose affects how you configure the Okta application and which fields are required in WISdom.
For detailed steps within Okta, refer to Okta's documentation for your selected flow: Authorization Code or Authorization Code with PKCE.
Setup Sequence
- Create a new Okta application for WISdom
- Configure the token issuer
- Configure trusted origins
- Retrieve endpoint values
- Configure SSO in WISdom
Step 1 — Create a New Okta Application
The application type and credential requirements differ depending on which flow you are using.
- Log in to the Okta Admin Console.
- In the left navigation menu, select Applications › Applications.
- Select Create App Integration.
- For Sign-in Method, select OIDC - OpenID Connect.
- For Application Type, select based on your flow:
- Authorization Code — select Web Application
- PKCE — select Single-Page Application
- Select Next.
- Enter a name for the application. We recommend WISdom or Fortified WISdom.
- Under Grant Type, confirm Authorization Code is selected.
Enable Require PKCE as additional verification (DPoP). This option is required for the PKCE flow.
- Under Sign-in redirect URIs, add both of the following:
https://app.fortifiedwisdom.com/bff/v1/oauth/oidc-callbackhttps://app.fortifiedwisdom.com/login
- Under Sign-out redirect URIs, add:
https://app.fortifiedwisdom.com/logout
- Under Assignments, assign the group that will access WISdom, or leave Everyone as the default.
Users must have an account configured in WISdom to log in, regardless of group assignment in Okta.
- Select Save.
Collect Client Credentials
After saving, Okta displays the application's General tab. Copy and save the following:
- Client ID — required for both flows
- Client Secret — required for Authorization Code only; PKCE does not generate a client secret
Step 2 — Configure Static Token Issuer
WISdom requires a static token issuer URL to validate SSO tokens. By default, Okta may be set to use a dynamic issuer.
- In the Okta Admin Console, go to Security › API.
- Select your authorization server.
- Under Settings, set the Issuer to use the Org URL (static) rather than a dynamic value.
- Save the change.
Step 3 — Configure Trusted Origins
WISdom must be added as a trusted origin in Okta to allow CORS and redirect behavior.
- In the Okta Admin Console, go to Security › API.
- Select the Trusted Origins tab.
- Select Add Origin.
- Enter a name. We recommend WISdom or Fortified WISdom.
- Enter the WISdom URL:
https://app.fortifiedwisdom.com - Under Choose Type, select both CORS and Redirect.
- Select Save.
Step 4 — Retrieve Endpoint Values
Navigate to your Okta OpenID Connect metadata document using your account's domain:
https://[YOUR-OKTA-DOMAIN]/.well-known/openid-configuration
From the JSON output, copy the following values:
| Field in WISdom | Metadata document key |
|---|---|
| Authentication URL | authorization_endpoint |
| Token URL | token_endpoint |
| Public Key URL | jwks_uri |
| Token Issuer | issuer |
Step 5 — Configure SSO in WISdom
- Go to Admin Console › Integration › Integrations.
- Under Available Apps, select SSO.
- In the Connect SSO dialog, select either the Authorization Code or PKCE tab depending on the flow you are using.
- Complete the fields on the first page:
| Field | Required | Value |
|---|---|---|
| Name | Yes | A display name for this SSO configuration |
| Issuer | Yes | issuer value from the metadata document |
| Audience | No | The aud value from your JWT, if required by your organization |
| Authentication Client ID | Yes | Client ID from the Okta application General tab |
| Authentication Client Secret | Authorization Code only | Client Secret from the Okta application General tab |
The Authentication Client Secret field is not shown when PKCE is selected. Okta does not generate a client secret for Single-Page Application integrations.
- Select Continue.
- Complete the fields on the second page:
| Field | Required | Value |
|---|---|---|
| Authentication Endpoint | Yes | authorization_endpoint from the metadata document |
| Token Endpoint | Yes | token_endpoint from the metadata document |
| Public Key Endpoint | Yes | jwks_uri from the metadata document |
| Logout Endpoint | No | Your organization's logout URL, if applicable |
- Select Test connection to validate the configuration.
- If the test succeeds, select Save.
Saving the configuration immediately changes all users to use the configured SSO upon their next login. If there are accounts that should not be configured to use SSO, a ticket will need to be created with the WISdom support team so they can be reverted to utilize the Auth0 authentication. Send the support request with the account names to: WISdomSupport@Fortified.com.