Crunchy Bridge supports Okta through the same implementation it uses for custom OpenID Connect providers. Only authentication through OIDC is supported via Okta (SAML isn't), although SCIM might be supported in the future.
Install Crunchy Bridge through the Okta integration network.
Okta will prompt to give the integration a label for naming purposes. Customize it, or accept the default of "Crunchy Bridge", then click Done.
You'll be redirected to a dashboard for the new integration, which can be used to add users or change its other settings. You'll need to procure the new application's client ID and secret, available under the Sign On tab, which will be used to complete configuration over in Crunchy Bridge.
In another tab, go to Bridge's OpenID Connect provider registration page, enter your email at your Okta-hosted domain and click "Verify OpenID Connect".
The submission initiates a WebFinger protocol request
to verify the account's existence with the domain's identity provider before
showing the next step of the process. WebFinger uses a predefined path at the
target domain of
https://<domain>/.well-known/webfinger, which Okta domains
Use your username at your Okta subdomain for this initial check. e.g.
you@YOUR_ORG.okta.com. If Okta's configured to use a different domain for its
YOUR_ORG.com), you'll be able to use
you@YOUR_ORG.com for future
logins after successfully verifying ownership of the domain.
In the newly revealed form fields, enter the following:
The Client ID from your Okta tab.
The Client secret from your Okta tab.
An optional human-friendly name to more easily identify the OpenID Connect client later. This name will show up in the Bridge UI alongside other OpenID Connect client information.
Click "Activate OpenID Connect". This will persist a record for the new client and redirect to initiate login against Okta. After a successful login, you'll be sent an email to verify domain ownership containing a link that'll log you into Crunchy Bridge and fully activate the Okta OpenID Connect client.
From now on, login can be initiated from the
OpenID Connect login page. Login can
be initiated through either your Okta subdomain (
you@YOUR_ORG.okta.com) or a
verified cosmetic domain (
you@YOUR_ORG.com). Login must be initiated through
the OpenID Connect login page. The regular, password-based login page can't be
Other accounts on the same domain (
also be allowed to login under the same client, provided they're authorized to
do so on Okta's end.
Bridge also supports IDP-initiated (identity provider initiated) login, so alternatively users can find their installed Bridge application in their Okta dashboard, and select sign-in to be sent to the Crunchy Bridge Dashboard.
New team members can be added to a team through the normal Team Settings → Members UI. If a new member doesn't have an account yet, they'll be sent a link to the OpenID Connect login page where they can create an account by logging into the same app in use by the admin.
If an invited email is ambiguous (maps to multiple accounts on Crunchy Bridge), an account in the same OpenID Connect application is preferred, but look up will fall back to an account in the default identity domain (logs in via password, Azure, or Google). Team admins can see confirm that members use a specific authentication management in the list under Team Settings → Members.