---
title: "Configuring Okta as an Identity Provider in Nirmata"
description: "Step-by-step guide to configure Okta as an Identity Provider using OpenID Connect"
diataxis: how-to
applies_to:
  product: "nirmata-control-hub"
audience: ["platform-engineer"]
url: https://docs.nirmata.io/docs/control-hub/identity-access/oidc/okta/
---




## Prerequisites

- Administrative access to your Okta organization account or Okta App Integration
- Administrative access to Nirmata account 

## Configuration Steps

### 1. Create a New Application in Okta

1. Log in to your Okta Admin Console.
2. In the left sidebar, navigate to **Applications > Applications**.
3. Click **Create Application Integration**.
4. Select **OIDC**.
5. Choose **Web Application** as the platform.
6. Click **Create**.

### 2. Configure Application Settings

1. In the application settings, fill in the following:
   - **App integration name**: (e.g., Nirmata app)
   - **Application type**: Web
   - **Grant type configuration:**
     - Under **Grant type**:
       - Check **Client Credentials** (under "Client acting on behalf of itself").
       - Under **Core grants**, check **Authorization Code**. (Leave **Refresh Token** unchecked unless your use case requires it.)
       - Expand **Advanced**:
         - Leave all **Okta direct auth API grants** (OTP, OOB, MFA OTP, MFA OOB) unchecked.
         - Under **Other grants**, check **Implicit (hybrid)**.
           - Check both **Allow ID Token with implicit grant type** and **Allow Access Token with implicit grant type**.
   - **Login redirect URIs**: 
     - **Sign-in redirect URIs**  `https://<nirmata-domain>/security/api/oidc/callback/`
   - **Sign-out redirect URIs**  `https://<nirmata-domain>/security/api/oidc/logout/`

Click on **Save**

Navigate back to the Application created for the following configurations: 
   - **Proof Key for Code Exchange (PKCE)**: **Uncheck** (Require PKCE as additional verification)
   - Copy the **Client ID** and **Client secret** to configure in Nirmata


### 3. Navigate to Nirmata to Configure Okta OIDC

In Nirmata, go to the OIDC settings by Navigating to **Identity and Access**  --> **OIDC** and enter the following details (as shown in your Okta app):

- **Name:**  
  Enter a descriptive name for this OIDC configuration (e.g., `okta`).

- **Client ID:**  
  Copy the Client ID from your Okta application.

- **Secret:**  
  Copy the Client Secret from your Okta application.

- **Discovery URI:**  
  Use the full OpenID Connect discovery endpoint from Okta, e.g.:  
  `https://<okta-domain>>/oauth2/default/.well-known/openid-configuration`

- **Scopes:**  
  Enter: `openid email profile`

- **Groups Attribute Name:**  
  Leave blank unless you are mapping groups.

- **JWS Algorithm:**  
  Select or enter: `RS256`

After entering these values, click **Save** in Nirmata.

**Note:**  
- Ensure that the redirect URIs in Okta match those configured in Nirmata.
- If you encounter errors, double-check that all values (especially Discovery URI and Client Secret) are correct and up to date.




## Troubleshooting

#### Error: `idx.error.code.no_matching_policy` (Seen in Okta Admin Console)
- **Message:** "You are not allowed to access this app. To request access, contact an admin."
- **Solution:**
  - In the Okta Admin Console, navigate to **Security > API > Authorization Servers**.
  - Select your authorization server (e.g., "default").
  - Go to the **Access Policies** tab.
  - Click **Add New Access Policy** or edit an existing one.
  - Add a rule with the following settings:
    - **Grant type**: Enable **Authorization Code** and any other required grants.
    - **User is**: Any user assigned the app (or as per your requirements).
    - **Scopes requested**: Any scopes (or specify as needed).
    - **Access token lifetime**: Set as required (e.g., 1 hour).
    - **Refresh token lifetime**: Set as required (e.g., 90 days).
  - Save the rule.

#### Error: PKCE Code Verifier Required (Seen in Nirmata UI)
- **Message:** "Sign in failed (400 - OIDC error: Bad token response, error=invalid_request, description=PKCE code verifier is required by the application.)"
- **Solution:** In the Okta app's General settings, uncheck **Require PKCE as additional verification** under Proof Key for Code Exchange (PKCE).

#### Error: No JWS Algorithm Supported (Seen in Nirmata UI)
- **Message:** "Sign in failed (400 - OIDC error: There must at least one JWS algorithm supported on the OpenID Connect provider side)."
- **Solution:** In your application's OIDC configuration, use the full OpenID Connect Discovery URI from Okta (not just the OIDC endpoint). Example: `https://admin-nirmata.okta.com/oauth2/default/.well-known/openid-configuration`.