## Create OIDC application with Okta

This guide outlines the steps to create and configure a OIDC application in Okta, including setup, user assignments, and metadata submission.

### Step 1: Create OIDC Integration

1. Log in to your Okta Application Dashboard and click **Applications** in the sidebar.


![okta](/assets/oidc-okta-1.e8f4a323db28e24242b85b6728a8be995abe1f8c53895270ff733536e9c8d2ad.dba07de7.png)

1. Click **Create App Integration**.


![okta](/assets/oidc-okta-2.eada7e7ad459efad10841ef1b0cd0e2466ad5e7f759faae6d6deeb118a4b3551.dba07de7.png)

1. Click **Create New App** and choose **OIDC - OpenID Connect** as the Sign-in method. Then, click **Next**.


![okta](/assets/oidc-okta-3.477d6a5902f36b04750e382b59f74289f7710942f105c43678b3df3bf865173f.dba07de7.png)

1. Select **Web Application** as the Application type, then click **Next**.


![okta](/assets/oidc-okta-4.d95d6dd21a159eb0a4a2b1d497cd2880923c9429e0ec4c3992d804db5e611d56.dba07de7.png)

### Step 2: Configure OIDC App

1. Enter the name of your application:


![okta](/assets/oidc-okta-5.fbbf7f16a7bc684670f3f810c3e0707173dfbb4448a197b8685e7c881e2c25cc.dba07de7.png)

1. Make sure to select **Client Credentials** if the client is acting on its own behalf.


![okta](/assets/oidc-okta-6.974ff7ab9ac5a5e78a3bc66c65def318811c86aef4374a459f6cb6060940dce0.dba07de7.png)

1. Fill the **Sign-in redirect URI** and the **Sign-out redirect URI**.


![okta](/assets/oidc-okta-7.eb24881b464dd79d3cb3989b47c07e0c322862fcac3f84c6cb0455c2b9fd282b.dba07de7.png)

![okta](/assets/oidc-okta-8.ed1bccde5aa35e2b05373fe1d930b9109600a0071ab15dd95f8c5d25d2a16499.dba07de7.png)

### Step 3: Add users to OIDC app

In order to test out SSO authentication, you will first need to assign your Okta SAML app to Groups.

1. Scroll to the **Assignments** tab of the app and then select **Limit access to selected groups**.


![okta](/assets/oidc-okta-9.726aea77ed540517e449ac49f2a0cdadebeb2ac626833933c9db89eb3e59c3b0.dba07de7.png)

1. Locate the specific group(s) you wish to assign to the app and click **Assign** next to each of them. Once finished, click **Save**.


### Step 4: Provide your Issuer URL

In order to connect the OIDC your identity provider's configuration with the application.

#### Custom Domain as issuer URL

1. In your Okta Application Dashboard go to **Domain** under **Customizations** in the sidebar.
2. Locate the **Custom Domain** under the **Redirect URL**.
3. Copy the **Custom Domain**.


![okta](/assets/oidc-okta-12.8e198bcc2a92e32ab4a53fb8346c352b0afacc8caa218c67d82d3431c8922e25.dba07de7.png)

1. Paste the URL below.


![okta](/assets/oidc-okta-11.192b7a827d6fdaf65f8eb03464e2493f0821c728c3f7b7c06678d9c116d93811.dba07de7.png)

Valid URL
If the issuer URL is correct, it will show a green checkmark; if not, ensure the URL is valid and try again.

#### Okta Domain as issuer URL

1. Click on the **Account** button on the top-right corner of the OIDC app you just created.
2. Locate the **Okta Domain** inside the popup `(Ex: "dev-[APP_ID].okta.com")`.
3. Click **Copy** button.


![okta](/assets/oidc-okta-10.f2b36e62f362cf4a98a463586d1029c777a3c058dc5719aea38379a919e9e246.dba07de7.png)

1. Paste the URL below.


![okta](/assets/oidc-okta-11.192b7a827d6fdaf65f8eb03464e2493f0821c728c3f7b7c06678d9c116d93811.dba07de7.png)

Valid URL
If the issuer URL is correct, it will show a green checkmark; if not, ensure the URL is valid and try again.

### Step 5: Submit Identity Provider Config

In order to connect the OIDC your identity provider's configuration with the application:

1. Click on the **General** tab of the OIDC app you just created.
2. Locate the **Client ID** under the **Client Credentials**.
3. Locate the **Secret Key** under the **Client Secrets**.
4. Copy both values, then paste it below.


![okta](/assets/oidc-okta-13.9f7cb680e48c44a05048e87f7a6cebd4e81c6b7373eb6e3662d1fcbd9d39245d.dba07de7.png)

![okta](/assets/oidc-okta-14.2bd54de5e2c8e3ef54dbf26a39b61f73f11afd50f2ffbae693bdb380348cc03e.dba07de7.png)

### Step 5: Proceed with domain claiming and role assignment

1. Click on **Proceed with domain claiming and role assignment** to confirm the completion the configuration of the IDP form.
2. Follow the instructions in the [Self-service OIDC configuration](/ciam/guides/authentication/sso/self-service/oidc#claim-domain) guide to complete this step and manage authorization.