Configure Okta

Crunchy Bridge supports Okta through the same implementation it uses for custom OpenID Connect providers. Only authentication through OIDC is supported via Okta (SAML isn't), although SCIM might be supported in the future.

Install Crunchy Bridge in Okta

Install Crunchy Bridge through the Okta integration network.

Okta will prompt to give the integration a label for naming purposes. Customize it, or accept the default of "Crunchy Bridge", then click Done.

You'll be redirected to a dashboard for the new integration, which can be used to add users or change its other settings. You'll need to procure the new application's client ID and secret, available under the Sign On tab, which will be used to complete configuration over in Crunchy Bridge.

Verifying identity via WebFinger

In another tab, go to Bridge's OpenID Connect provider registration page, enter your email at your Okta-hosted domain and click "Verify OpenID Connect".

The submission initiates a WebFinger protocol request to verify the account's existence with the domain's identity provider before showing the next step of the process. WebFinger uses a predefined path at the target domain of https://<domain>/.well-known/webfinger, which Okta domains support automatically.

Use your username at your Okta subdomain for this initial check. e.g. you@YOUR_ORG.okta.com. If Okta's configured to use a different domain for its users (YOUR_ORG.com), you'll be able to use you@YOUR_ORG.com for future logins after successfully verifying ownership of the domain.

Adding a client ID and secret

In the newly revealed form fields, enter the following:

  • The Client ID from your Okta tab.

  • The Client secret from your Okta tab.

  • An optional human-friendly name to more easily identify the OpenID Connect client later. This name will show up in the Bridge UI alongside other OpenID Connect client information.

Click "Activate OpenID Connect". This will persist a record for the new client and redirect to initiate login against Okta. After a successful login, you'll be sent an email to verify domain ownership containing a link that'll log you into Crunchy Bridge and fully activate the Okta OpenID Connect client.

Future logins and other accounts

From now on, login can be initiated from the OpenID Connect login page. Login can be initiated through either your Okta subdomain (you@YOUR_ORG.okta.com) or a verified cosmetic domain (you@YOUR_ORG.com). Login must be initiated through the OpenID Connect login page. The regular, password-based login page can't be used.

Other accounts on the same domain (database-collaborator@YOUR_ORG.com) will also be allowed to login under the same client, provided they're authorized to do so on Okta's end.

IDP-initiated login

Bridge also supports IDP-initiated (identity provider initiated) login, so alternatively users can find their installed Bridge application in their Okta dashboard, and select sign-in to be sent to the Crunchy Bridge Dashboard.

Team members

New team members can be added to a team through the normal Team Settings → Members UI. If a new member doesn't have an account yet, they'll be sent a link to the OpenID Connect login page where they can create an account by logging into the same app in use by the admin.

If an invited email is ambiguous (maps to multiple accounts on Crunchy Bridge), an account in the same OpenID Connect application is preferred, but look up will fall back to an account in the default identity domain (logs in via password, Azure, or Google). Team admins can see confirm that members use a specific authentication management in the list under Team Settings → Members.