> ## Documentation Index
> Fetch the complete documentation index at: https://closedloop.sh/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Okta OIDC SSO

> Configure Okta OIDC SSO, Just-in-Time provisioning, and Universal Logout for ClosedLoop AI.

This guide shows Okta administrators how to configure OpenID Connect (OIDC) sign-in for ClosedLoop AI from the Okta Integration Network catalog.

## Prerequisites

* An Okta admin account with permission to add and configure app integrations.
* A ClosedLoop AI workspace admin account.
* Your ClosedLoop AI workspace ID.
* Your ClosedLoop AI workspace region: US or EU.

## Supported Features

| Feature                                    | Support                                    |
| ------------------------------------------ | ------------------------------------------ |
| SP-initiated SSO                           | Supported                                  |
| IdP-initiated SSO                          | Supported through the Okta app tile        |
| Just-in-Time provisioning                  | Supported when enabled in ClosedLoop AI    |
| Universal Logout / Global Token Revocation | Supported                                  |
| OIDC Post Logout / browser Single Logout   | Not supported; leave Post Logout URI blank |

ClosedLoop AI validates the Okta issuer, audience, signature, state, nonce, and email claim before creating an application session.

## Configure Okta

<AccordionGroup>
  <Accordion icon="plus" title="Step 1: Add ClosedLoop AI from the Okta catalog">
    1. In Okta Admin, go to **Applications** > **Applications**.
    2. Click **Browse App Catalog**.
    3. Search for **ClosedLoop AI**.
    4. Add the **ClosedLoop AI** integration.
  </Accordion>

  <Accordion icon="settings" title="Step 2: Enter tenant settings">
    Enter the tenant settings for the ClosedLoop AI workspace you are connecting.

    | Label        | Value                             |
    | ------------ | --------------------------------- |
    | Workspace ID | Your ClosedLoop AI workspace UUID |
    | Region       | `us` or `eu`                      |

    Use `us` for `https://app.closedloop.sh`. Use `eu` for `https://eu.app.closedloop.sh`.
  </Accordion>

  <Accordion icon="key-round" title="Step 3: Copy Okta OIDC credentials">
    After Okta creates the app instance, open the app's **Sign On** tab and copy:

    | Okta value    | ClosedLoop AI field |
    | ------------- | ------------------- |
    | Issuer        | Okta issuer         |
    | Client ID     | Client ID           |
    | Client secret | Client secret       |

    The issuer is normally your Okta org URL, such as `https://example.okta.com`.
  </Accordion>

  <Accordion icon="shield-check" title="Step 4: Save OIDC settings in ClosedLoop AI">
    1. Sign in to ClosedLoop AI as a workspace admin.
    2. Go to **Integrations** > **Okta**.
    3. Enter your Okta domain or issuer.
    4. Paste the Okta **Client ID** and **Client secret**.
    5. Choose the default provisioned role. Use **Member** unless every new Okta user should become a workspace admin.
    6. Enable Okta sign-in.
    7. Enable Just-in-Time provisioning if users should be created when they first sign in through Okta.
    8. Save the configuration.
  </Accordion>

  <Accordion icon="users" title="Step 5: Assign users">
    In Okta, assign the ClosedLoop AI app to the users or groups who should have access.

    If Just-in-Time provisioning is off, the user must already exist in ClosedLoop AI or be provisioned through SCIM before sign-in.
  </Accordion>
</AccordionGroup>

## Okta OIN Values

These are the OIDC values used by the ClosedLoop AI Okta catalog integration.

| Okta field              | Value                                                                                                                                                                       |
| ----------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Redirect URI            | `{app.region == 'eu' ? 'https://eu.api.closedloop.sh/api/okta/oidc/callback' : 'https://api.closedloop.sh/api/okta/oidc/callback'}`                                         |
| Initiate login URI      | `{app.region == 'eu' ? 'https://eu.api.closedloop.sh/api/okta/oidc/login?team_id=' + app.team_id : 'https://api.closedloop.sh/api/okta/oidc/login?team_id=' + app.team_id}` |
| Post Logout URI         | Leave blank                                                                                                                                                                 |
| Configuration guide URL | `https://closedloop.sh/docs/integrations/okta-oidc-sso`                                                                                                                     |
| SP Initiate URL         | `{app.region == 'eu' ? 'https://eu.app.closedloop.sh/auth' : 'https://app.closedloop.sh/auth'}`                                                                             |

ClosedLoop AI supports Universal Logout through Global Token Revocation. It does not use the OIDC Post Logout URI field.

## Universal Logout

Configure Universal Logout with Global Token Revocation.

| Okta field                       | Value                                                                                                                                     |
| -------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- |
| Global token revocation endpoint | `{app.region == 'eu' ? 'https://eu.api.closedloop.sh/api/okta/universal-logout' : 'https://api.closedloop.sh/api/okta/universal-logout'}` |
| Authentication method            | `SIGNED_JWT`                                                                                                                              |
| Subject format                   | `Email`                                                                                                                                   |

When Okta sends a valid Global Token Revocation request, ClosedLoop AI revokes the user's ClosedLoop AI access tokens and MCP tokens.

## Verify SSO

1. Assign a test user to the ClosedLoop AI app in Okta.
2. Open the ClosedLoop AI sign-in page for the workspace region.
3. Enter the test user's email address.
4. Confirm ClosedLoop AI redirects the user to Okta.
5. Complete Okta sign-in.
6. Confirm the user returns to ClosedLoop AI.

For IdP-initiated SSO, launch ClosedLoop AI from the Okta End-User Dashboard app tile.

## Troubleshooting

| Symptom                                                       | Fix                                                                                                                                                    |
| ------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
| Okta reports a redirect URI mismatch                          | Confirm the Redirect URI uses the correct region and exactly matches the value in this guide.                                                          |
| The user authenticates in Okta but cannot enter ClosedLoop AI | Confirm the user is assigned to the Okta app and either exists in ClosedLoop AI, is provisioned through SCIM, or Just-in-Time provisioning is enabled. |
| The app tile opens the wrong region                           | Confirm the Okta tenant setting `region` is `us` or `eu` for the workspace being configured.                                                           |
| Universal Logout returns 401                                  | Confirm Okta uses `SIGNED_JWT` and sends requests to the Global Token Revocation endpoint for the same region as the workspace.                        |
| Post Logout URI is requested                                  | Leave it blank. ClosedLoop AI supports Universal Logout/GTR, not OIDC browser Single Logout.                                                           |

## Support

For help configuring Okta OIDC SSO with ClosedLoop AI, contact `support@closedloop.sh`.
