Skip to main content
Connect Okta to ClosedLoop AI to centralize enterprise sign-in, automate user and group provisioning, govern workspace access, and revoke active access during security events.
Use one Okta integration for one ClosedLoop AI region. Do not mix US and EU URLs in the same Okta app instance.

What Okta Manages

CapabilityDescription
OIDC SSOUsers sign in to ClosedLoop AI through Okta OpenID Connect.
SCIM 2.0 provisioningOkta manages user and group lifecycle in a ClosedLoop AI workspace.
Universal LogoutOkta can revoke a user’s active ClosedLoop AI and MCP access through Global Token Revocation.
Role entitlementsOkta can discover ClosedLoop AI roles for governance and access review workflows.

Prerequisites

  • An Okta admin account with permission to configure applications and provisioning.
  • A ClosedLoop AI workspace admin account.
  • Your ClosedLoop AI workspace region: US or EU.
  • Your ClosedLoop AI workspace ID. ClosedLoop AI provides this value during Okta setup.

Region URLs

Use the row that matches your ClosedLoop AI workspace region.
RegionApp URLAPI URL
UShttps://app.closedloop.shhttps://api.closedloop.sh
EUhttps://eu.app.closedloop.shhttps://eu.api.closedloop.sh

Setup Guide

  1. In Okta Admin, go to Applications.
  2. Add the ClosedLoop AI integration.
  3. When Okta asks for tenant settings, enter your ClosedLoop AI workspace ID.
Use this tenant setting:
LabelNameValue
ClosedLoop AI workspace IDteam_idYour ClosedLoop AI workspace UUID
Okta references this value as app.team_id when it builds dynamic URLs.
Use the values for your region.
Okta fieldUS valueEU value
Redirect URIhttps://api.closedloop.sh/api/okta/oidc/callbackhttps://eu.api.closedloop.sh/api/okta/oidc/callback
Initiate login URIhttps://api.closedloop.sh/api/okta/oidc/login?team_id={app.team_id}https://eu.api.closedloop.sh/api/okta/oidc/login?team_id={app.team_id}
Post-logout URIhttps://app.closedloop.sh/authhttps://eu.app.closedloop.sh/auth
Configuration guide URLhttps://closedloop.sh/docs/integrations/oktahttps://closedloop.sh/docs/integrations/okta
After Okta creates the OIDC client, copy the Okta Issuer, Client ID, and Client secret.
  1. Sign in to ClosedLoop AI as a workspace admin.
  2. Go to Integrations > Okta.
  3. Enter your Okta domain.
  4. Paste the Okta Client ID and Client secret.
  5. Keep Enable Okta sign-in on.
  6. Turn on Just-in-time provisioning only if users should be created when they first sign in through Okta.
  7. Click Save Okta setup.
ClosedLoop AI generates the Okta issuer from your domain and shows the region-specific setup URLs for the workspace.
Universal Logout is separate from the post-logout URI. Use the Global Token Revocation endpoint below.
Okta fieldUS valueEU value
Global token revocation endpointhttps://api.closedloop.sh/api/okta/universal-logouthttps://eu.api.closedloop.sh/api/okta/universal-logout
Authentication methodSIGNED_JWTSIGNED_JWT
Subject formatEmailEmail
Partial supportOffOff
When Okta sends a valid Global Token Revocation request, ClosedLoop AI revokes the user’s ClosedLoop AI API tokens and MCP tokens.
Use OAuth 2.0 for SCIM authentication. Okta obtains a bearer token from ClosedLoop AI and uses it for SCIM calls.
Okta fieldUS valueEU value
Base URL'https://api.closedloop.sh/api/scim/v2/' + app.team_id'https://eu.api.closedloop.sh/api/scim/v2/' + app.team_id
Authorize endpointhttps://api.closedloop.sh/api/okta/scim/oauth/authorizehttps://eu.api.closedloop.sh/api/okta/scim/oauth/authorize
Token endpointhttps://api.closedloop.sh/api/okta/scim/oauth/tokenhttps://eu.api.closedloop.sh/api/okta/scim/oauth/token
Scopesscim.read, scim.write, entitlements.readscim.read, scim.write, entitlements.read
SCIM Base URL fields use Okta Expression Language string concatenation. Enter the quote characters exactly as shown.Supported user operations:
OperationSetting
CreateOn
ReadOn
UpdateOn
Change passwordOff
DeactivateOn
Support PATCH for UserOn
Supported group operations:
OperationSetting
CreateOn
ReadOn
Update (Uses PATCH)On
DeleteOn
ClosedLoop AI provisions Okta-created users as Member by default and keeps profile, group, and access status in sync from Okta.
Enable Entitlement Management if your Okta plan includes it.Resource type mapping:
FieldValue
Resource TypeRole
Endpoint/Roles
Propertiesid, displayName, description
DescriptionClosedLoop AI workspace roles
Entitlements schema mapping:
Okta AttributeClosedLoop AI Attribute
idid
displayNamedisplayName
descriptiondescription
ClosedLoop AI exposes role entitlements to Okta for access governance workflows.

SCIM Attribute Mapping

ClosedLoop AI reads the following SCIM user attributes:
Okta attributeClosedLoop AI usage
userNamePrimary email address
emails[primary eq true].valuePrimary email address fallback
name.givenNameFirst name
name.familyNameLast name
displayNameFull name fallback
activeWorkspace access status
externalIdOkta-side stable identifier
ClosedLoop AI does not use Okta passwords. Leave password management disabled in provisioning. ClosedLoop AI also reads SCIM group displayName, externalId, and members for group lifecycle management.

Testing

After configuration, test in this order:
  1. Assign a test user to the ClosedLoop AI app in Okta.
  2. Run provisioning so Okta creates the user in ClosedLoop AI.
  3. Sign in to ClosedLoop AI with the test user’s email address.
  4. Confirm the user is redirected to Okta and returns to ClosedLoop AI after authentication.
  5. Deactivate the user in Okta and confirm ClosedLoop AI access is removed.
  6. Run a Universal Logout test from Okta and confirm the user must sign in again.

Troubleshooting

SymptomFix
Okta reports an invalid SCIM base URLConfirm the base URL uses string concatenation with app.team_id and that the tenant setting name is team_id.
Users can authenticate in Okta but cannot enter ClosedLoop AIConfirm the user is assigned to the Okta app and is provisioned or Just-in-time provisioning is enabled in ClosedLoop AI.
The OIDC callback failsConfirm the Redirect URI exactly matches the region-specific callback URL.
Universal Logout returns 401Confirm Okta is using SIGNED_JWT and the Global Token Revocation endpoint for the same region as the workspace.
A user is deactivated but still has the app openConfirm Okta sent the SCIM deactivation or Universal Logout event for the same ClosedLoop AI region.

Open ClosedLoop AI US

Configure Okta in the US workspace integrations page

Open ClosedLoop AI EU

Configure Okta in the EU workspace integrations page