Docs/Single sign-on

Okta

~10 minutes

Configure OpenID Connect sign-in against Okta. Create a Web Application integration, point it at Wando's callback URL, then assign the users or groups who should be able to sign in.

Before you start

An Okta tenant on the Workforce Identity Cloud.
A Super Admin or App Admin role in that Okta tenant.
Your Wando contact on standby to receive the credentials at the end.

Steps

1
Open the Okta Admin Console
Sign in to your Okta admin URL (typically https://<your-tenant>-admin.okta.com). The "<your-tenant>.okta.com" part of the URL is your Okta domain — you will need it later.
2
Create an app integration
In the left navigation open Applications → Applications, then click "Create App Integration".
3
Choose OIDC + Web Application
For "Sign-in method" pick "OIDC - OpenID Connect", and for "Application type" pick "Web Application". Click "Next".
4
Fill in the integration settings
Set "App integration name" to "Wando". Under "Grant type" keep "Authorization Code" checked and add "Refresh Token" so sessions can be renewed without re-prompting.
App integration name
Wando
Grant type
Authorization Code, Refresh Token
Sign-in redirect URI
https://www.wando.tromb.com/api/auth/callback/<your-provider-id>
Sign-out redirect URI
https://www.wando.tromb.com
5
Choose who can sign in
Under "Assignments", pick either "Allow everyone in your organization to access" or "Limit access to selected groups", then save.
6
Copy the Client ID and Client secret
On the integration's General tab, find "Client Credentials". Copy the Client ID. Click "Edit", switch "Client authentication" to "Client secret", and copy the generated secret. Both go into Wando in the final step.
7
Note the Okta issuer URL
Wando uses the OIDC discovery endpoint to find Okta's authorize / token / userinfo URLs. The pattern is:
```
https://<your-tenant>.okta.com
```
If you use a custom Okta authorization server, append `/oauth2/<authServerId>`.

Hand off to Wando

Send your values to your Wando contact

hej@wando.app

Send the values below to your Wando contact. They will wire them into your organisation's SSO config and confirm when Okta sign-in is live for assigned users.

Suggested provider ID: okta-<short-org-name>
Issuer URL: https://<your-tenant>.okta.com
Email domain: acme.com
Client ID: From step 6
Client secret: From step 6

Steps

Open the Okta Admin Console

Sign in to your Okta admin URL (typically https://<your-tenant>-admin.okta.com). The "<your-tenant>.okta.com" part of the URL is your Okta domain — you will need it later.

Create an app integration

In the left navigation open Applications → Applications, then click "Create App Integration".

Choose OIDC + Web Application

For "Sign-in method" pick "OIDC - OpenID Connect", and for "Application type" pick "Web Application". Click "Next".

Fill in the integration settings

Set "App integration name" to "Wando". Under "Grant type" keep "Authorization Code" checked and add "Refresh Token" so sessions can be renewed without re-prompting.

App integration name: Wando
Grant type: Authorization Code, Refresh Token
Sign-in redirect URI: https://www.wando.tromb.com/api/auth/callback/<your-provider-id>
Sign-out redirect URI: https://www.wando.tromb.com

Choose who can sign in

Under "Assignments", pick either "Allow everyone in your organization to access" or "Limit access to selected groups", then save.

Copy the Client ID and Client secret

On the integration's General tab, find "Client Credentials". Copy the Client ID. Click "Edit", switch "Client authentication" to "Client secret", and copy the generated secret. Both go into Wando in the final step.

Note the Okta issuer URL

Wando uses the OIDC discovery endpoint to find Okta's authorize / token / userinfo URLs. The pattern is:

https://<your-tenant>.okta.com

If you use a custom Okta authorization server, append `/oauth2/<authServerId>`.