Prerequisites
- An Okta admin account with permission to add and configure app integrations.
- A ClosedLoop AI workspace admin account.
- Your ClosedLoop AI workspace ID.
- Your ClosedLoop AI workspace region: US or EU.
Supported Features
| Feature | Support |
|---|---|
| SP-initiated SSO | Supported |
| IdP-initiated SSO | Supported through the Okta app tile |
| Just-in-Time provisioning | Supported when enabled in ClosedLoop AI |
| Universal Logout / Global Token Revocation | Supported |
| OIDC Post Logout / browser Single Logout | Not supported; leave Post Logout URI blank |
Configure Okta
Step 1: Add ClosedLoop AI from the Okta catalog
Step 1: Add ClosedLoop AI from the Okta catalog
- In Okta Admin, go to Applications > Applications.
- Click Browse App Catalog.
- Search for ClosedLoop AI.
- Add the ClosedLoop AI integration.
Step 2: Enter tenant settings
Step 2: Enter tenant settings
Enter the tenant settings for the ClosedLoop AI workspace you are connecting.
Use
| Label | Value |
|---|---|
| Workspace ID | Your ClosedLoop AI workspace UUID |
| Region | us or eu |
us for https://app.closedloop.sh. Use eu for https://eu.app.closedloop.sh.Step 3: Copy Okta OIDC credentials
Step 3: Copy Okta OIDC credentials
After Okta creates the app instance, open the app’s Sign On tab and copy:
The issuer is normally your Okta org URL, such as
| Okta value | ClosedLoop AI field |
|---|---|
| Issuer | Okta issuer |
| Client ID | Client ID |
| Client secret | Client secret |
https://example.okta.com.Step 4: Save OIDC settings in ClosedLoop AI
Step 4: Save OIDC settings in ClosedLoop AI
- Sign in to ClosedLoop AI as a workspace admin.
- Go to Integrations > Okta.
- Enter your Okta domain or issuer.
- Paste the Okta Client ID and Client secret.
- Choose the default provisioned role. Use Member unless every new Okta user should become a workspace admin.
- Enable Okta sign-in.
- Enable Just-in-Time provisioning if users should be created when they first sign in through Okta.
- Save the configuration.
Step 5: Assign users
Step 5: Assign users
In Okta, assign the ClosedLoop AI app to the users or groups who should have access.If Just-in-Time provisioning is off, the user must already exist in ClosedLoop AI or be provisioned through SCIM before sign-in.
Okta OIN Values
These are the OIDC values used by the ClosedLoop AI Okta catalog integration.| Okta field | Value |
|---|---|
| Redirect URI | {app.region == 'eu' ? 'https://eu.api.closedloop.sh/api/okta/oidc/callback' : 'https://api.closedloop.sh/api/okta/oidc/callback'} |
| Initiate login URI | {app.region == 'eu' ? 'https://eu.api.closedloop.sh/api/okta/oidc/login?team_id=' + app.team_id : 'https://api.closedloop.sh/api/okta/oidc/login?team_id=' + app.team_id} |
| Post Logout URI | Leave blank |
| Configuration guide URL | https://closedloop.sh/docs/integrations/okta-oidc-sso |
| SP Initiate URL | {app.region == 'eu' ? 'https://eu.app.closedloop.sh/auth' : 'https://app.closedloop.sh/auth'} |
Universal Logout
Configure Universal Logout with Global Token Revocation.| Okta field | Value |
|---|---|
| Global token revocation endpoint | {app.region == 'eu' ? 'https://eu.api.closedloop.sh/api/okta/universal-logout' : 'https://api.closedloop.sh/api/okta/universal-logout'} |
| Authentication method | SIGNED_JWT |
| Subject format | Email |
Verify SSO
- Assign a test user to the ClosedLoop AI app in Okta.
- Open the ClosedLoop AI sign-in page for the workspace region.
- Enter the test user’s email address.
- Confirm ClosedLoop AI redirects the user to Okta.
- Complete Okta sign-in.
- Confirm the user returns to ClosedLoop AI.
Troubleshooting
| Symptom | Fix |
|---|---|
| Okta reports a redirect URI mismatch | Confirm the Redirect URI uses the correct region and exactly matches the value in this guide. |
| The user authenticates in Okta but cannot enter ClosedLoop AI | Confirm the user is assigned to the Okta app and either exists in ClosedLoop AI, is provisioned through SCIM, or Just-in-Time provisioning is enabled. |
| The app tile opens the wrong region | Confirm the Okta tenant setting region is us or eu for the workspace being configured. |
| Universal Logout returns 401 | Confirm Okta uses SIGNED_JWT and sends requests to the Global Token Revocation endpoint for the same region as the workspace. |
| Post Logout URI is requested | Leave it blank. ClosedLoop AI supports Universal Logout/GTR, not OIDC browser Single Logout. |
Support
For help configuring Okta OIDC SSO with ClosedLoop AI, contactsupport@closedloop.sh.