Skip to main content
This guide shows Okta administrators how to configure OpenID Connect (OIDC) sign-in for ClosedLoop AI from the Okta Integration Network catalog.

Prerequisites

  • An Okta admin account with permission to add and configure app integrations.
  • A ClosedLoop AI workspace admin account.
  • Your ClosedLoop AI workspace ID.
  • Your ClosedLoop AI workspace region: US or EU.

Supported Features

FeatureSupport
SP-initiated SSOSupported
IdP-initiated SSOSupported through the Okta app tile
Just-in-Time provisioningSupported when enabled in ClosedLoop AI
Universal Logout / Global Token RevocationSupported
OIDC Post Logout / browser Single LogoutNot supported; leave Post Logout URI blank
ClosedLoop AI validates the Okta issuer, audience, signature, state, nonce, and email claim before creating an application session.

Configure Okta

  1. In Okta Admin, go to Applications > Applications.
  2. Click Browse App Catalog.
  3. Search for ClosedLoop AI.
  4. Add the ClosedLoop AI integration.
Enter the tenant settings for the ClosedLoop AI workspace you are connecting.
LabelValue
Workspace IDYour ClosedLoop AI workspace UUID
Regionus or eu
Use us for https://app.closedloop.sh. Use eu for https://eu.app.closedloop.sh.
After Okta creates the app instance, open the app’s Sign On tab and copy:
Okta valueClosedLoop AI field
IssuerOkta issuer
Client IDClient ID
Client secretClient secret
The issuer is normally your Okta org URL, such as https://example.okta.com.
  1. Sign in to ClosedLoop AI as a workspace admin.
  2. Go to Integrations > Okta.
  3. Enter your Okta domain or issuer.
  4. Paste the Okta Client ID and Client secret.
  5. Choose the default provisioned role. Use Member unless every new Okta user should become a workspace admin.
  6. Enable Okta sign-in.
  7. Enable Just-in-Time provisioning if users should be created when they first sign in through Okta.
  8. Save the configuration.
In Okta, assign the ClosedLoop AI app to the users or groups who should have access.If Just-in-Time provisioning is off, the user must already exist in ClosedLoop AI or be provisioned through SCIM before sign-in.

Okta OIN Values

These are the OIDC values used by the ClosedLoop AI Okta catalog integration.
Okta fieldValue
Redirect URI{app.region == 'eu' ? 'https://eu.api.closedloop.sh/api/okta/oidc/callback' : 'https://api.closedloop.sh/api/okta/oidc/callback'}
Initiate login URI{app.region == 'eu' ? 'https://eu.api.closedloop.sh/api/okta/oidc/login?team_id=' + app.team_id : 'https://api.closedloop.sh/api/okta/oidc/login?team_id=' + app.team_id}
Post Logout URILeave blank
Configuration guide URLhttps://closedloop.sh/docs/integrations/okta-oidc-sso
SP Initiate URL{app.region == 'eu' ? 'https://eu.app.closedloop.sh/auth' : 'https://app.closedloop.sh/auth'}
ClosedLoop AI supports Universal Logout through Global Token Revocation. It does not use the OIDC Post Logout URI field.

Universal Logout

Configure Universal Logout with Global Token Revocation.
Okta fieldValue
Global token revocation endpoint{app.region == 'eu' ? 'https://eu.api.closedloop.sh/api/okta/universal-logout' : 'https://api.closedloop.sh/api/okta/universal-logout'}
Authentication methodSIGNED_JWT
Subject formatEmail
When Okta sends a valid Global Token Revocation request, ClosedLoop AI revokes the user’s ClosedLoop AI access tokens and MCP tokens.

Verify SSO

  1. Assign a test user to the ClosedLoop AI app in Okta.
  2. Open the ClosedLoop AI sign-in page for the workspace region.
  3. Enter the test user’s email address.
  4. Confirm ClosedLoop AI redirects the user to Okta.
  5. Complete Okta sign-in.
  6. Confirm the user returns to ClosedLoop AI.
For IdP-initiated SSO, launch ClosedLoop AI from the Okta End-User Dashboard app tile.

Troubleshooting

SymptomFix
Okta reports a redirect URI mismatchConfirm the Redirect URI uses the correct region and exactly matches the value in this guide.
The user authenticates in Okta but cannot enter ClosedLoop AIConfirm the user is assigned to the Okta app and either exists in ClosedLoop AI, is provisioned through SCIM, or Just-in-Time provisioning is enabled.
The app tile opens the wrong regionConfirm the Okta tenant setting region is us or eu for the workspace being configured.
Universal Logout returns 401Confirm Okta uses SIGNED_JWT and sends requests to the Global Token Revocation endpoint for the same region as the workspace.
Post Logout URI is requestedLeave it blank. ClosedLoop AI supports Universal Logout/GTR, not OIDC browser Single Logout.

Support

For help configuring Okta OIDC SSO with ClosedLoop AI, contact support@closedloop.sh.