Connect Okta to ClosedLoop AI to centralize enterprise sign-in, automate user and group provisioning, govern workspace access, and revoke active access during security events.
Use one Okta integration for one ClosedLoop AI region. Do not mix US and EU URLs in the same Okta app instance.
What Okta Manages
Capability Description OIDC SSO Users sign in to ClosedLoop AI through Okta OpenID Connect. SCIM 2.0 provisioning Okta manages user and group lifecycle in a ClosedLoop AI workspace. Universal Logout Okta can revoke a user’s active ClosedLoop AI and MCP access through Global Token Revocation. Role entitlements Okta can discover ClosedLoop AI roles for governance and access review workflows.
Prerequisites
An Okta admin account with permission to configure applications and provisioning.
A ClosedLoop AI workspace admin account.
Your ClosedLoop AI workspace region: US or EU.
Your ClosedLoop AI workspace ID. ClosedLoop AI provides this value during Okta setup.
Region URLs
Use the row that matches your ClosedLoop AI workspace region.
Region App URL API URL US https://app.closedloop.shhttps://api.closedloop.shEU https://eu.app.closedloop.shhttps://eu.api.closedloop.sh
Setup Guide
Step 1: Add the ClosedLoop AI app in Okta
In Okta Admin, go to Applications .
Add the ClosedLoop AI integration.
When Okta asks for tenant settings, enter your ClosedLoop AI workspace ID.
Use this tenant setting: Label Name Value ClosedLoop AI workspace ID team_idYour ClosedLoop AI workspace UUID
Okta references this value as app.team_id when it builds dynamic URLs.
Step 2: Configure OIDC SSO
Step 3: Save OIDC settings in ClosedLoop AI
Sign in to ClosedLoop AI as a workspace admin.
Go to Integrations > Okta .
Enter your Okta domain.
Paste the Okta Client ID and Client secret .
Keep Enable Okta sign-in on.
Turn on Just-in-time provisioning only if users should be created when they first sign in through Okta.
Click Save Okta setup .
ClosedLoop AI generates the Okta issuer from your domain and shows the region-specific setup URLs for the workspace.
Step 4: Configure Universal Logout
Step 5: Configure SCIM provisioning
Step 6: Configure entitlements
SCIM Attribute Mapping
ClosedLoop AI reads the following SCIM user attributes:
Okta attribute ClosedLoop AI usage userNamePrimary email address emails[primary eq true].valuePrimary email address fallback name.givenNameFirst name name.familyNameLast name displayNameFull name fallback activeWorkspace access status externalIdOkta-side stable identifier
ClosedLoop AI does not use Okta passwords. Leave password management disabled in provisioning.
ClosedLoop AI also reads SCIM group displayName, externalId, and members for group lifecycle management.
Testing
After configuration, test in this order:
Assign a test user to the ClosedLoop AI app in Okta.
Run provisioning so Okta creates the user in ClosedLoop AI.
Sign in to ClosedLoop AI with the test user’s email address.
Confirm the user is redirected to Okta and returns to ClosedLoop AI after authentication.
Deactivate the user in Okta and confirm ClosedLoop AI access is removed.
Run a Universal Logout test from Okta and confirm the user must sign in again.
Troubleshooting
Symptom Fix Okta reports an invalid SCIM base URL Confirm the base URL uses string concatenation with app.team_id and that the tenant setting name is team_id. Users can authenticate in Okta but cannot enter ClosedLoop AI Confirm the user is assigned to the Okta app and is provisioned or Just-in-time provisioning is enabled in ClosedLoop AI. The OIDC callback fails Confirm the Redirect URI exactly matches the region-specific callback URL. Universal Logout returns 401 Confirm Okta is using SIGNED_JWT and the Global Token Revocation endpoint for the same region as the workspace. A user is deactivated but still has the app open Confirm Okta sent the SCIM deactivation or Universal Logout event for the same ClosedLoop AI region.
Open ClosedLoop AI US Configure Okta in the US workspace integrations page
Open ClosedLoop AI EU Configure Okta in the EU workspace integrations page