ComplianceScout.ai
Sign InFree Trial

Okta SSO

Sign in to ComplianceScout with Okta over OpenID Connect.

OpenID Connect (OIDC)

Okta can also federate over SAML 2.0 — use the generic SAML reference on the SSO index if you prefer SAML.

Values to give Okta

Copy these from ComplianceScout → Settings → SSO when you create the connection. The exact, per-connection values are shown there.

Redirect URI (Sign-in redirect URI / Allowed Callback URL)https://<your-app-host>/sso/oidc/callback/<connectionId>

Copy the exact value shown in ComplianceScout → Settings → SSO when you create the connection. Do not hand-type it — most IdPs require an exact match (case and trailing slash included).

Configure Okta

Steps verified against the vendor documentation linked at the bottom of this page. Labels can change — that link is the source of truth.

  1. Sign in to the Okta Admin Console as an administrator.

  2. Go to Applications → Applications and click Create App Integration.

  3. For Sign-in method choose OIDC - OpenID Connect, and for Application type choose Web Application. Click Next.

  4. Give the integration a name (for example, ComplianceScout).

  5. Under Sign-in redirect URIs, paste the Redirect URI exactly as shown in ComplianceScout → Settings → SSO.

  6. Under Assignments, choose who can use the app (assign the users or groups that should be able to sign in), then click Save.

  7. On the application's General tab, find the Client Credentials section and copy the Client ID and Client secret.

  8. Determine your Issuer URL: use your Okta org URL (https://<your-org>.okta.com) for the org authorization server, or https://<your-org>.okta.com/oauth2/default for the default custom authorization server. Use the org URL unless you specifically rely on a custom authorization server.

Values to enter in ComplianceScout

Back in Settings → SSO, paste these into the connection and save.

Issuer URLhttps://<your-org>.okta.com

Or https://<your-org>.okta.com/oauth2/default if you use the default custom authorization server. The issuer you enter must match the authorization server that mints the token.

Client ID<client-id>
Client Secret<client-secret>

Role mapping (optional)

To map Okta groups to ComplianceScout roles, add a groups claim. For a custom authorization server: Security → API → Authorization Servers → (your server) → Claims → Add claim named "groups" (Include in: ID Token, Value type: Groups, Filter: Matches regex .*). For the org authorization server, add the Groups claim via the application's OpenID Connect ID-token group filter. Then set ComplianceScout's role-mapping claim to "groups".

MFA pass-through (optional)

If you enable "Trust IdP for MFA" in ComplianceScout, it honors the OIDC amr claim containing "mfa". Configure an Okta sign-on policy that requires MFA so Okta emits it.

Things to watch for

  • Choose Web Application, not SPA or Native — ComplianceScout needs a confidential client with a secret.
  • Issuer mismatch is the most common failure: if you added the groups claim on the default custom authorization server, your Issuer URL must be the /oauth2/default form, not the bare org URL.

Vendor documentation

Ready to turn on Okta SSO?

Configure the connection in Settings → SSO, then test sign-in before rolling it out to your team.

Open SSO settingsAll SSO guides →