This guide is for companies who use Okta and would like to set Okta up as the Single Sign-On (SSO) provider for KPA Flex. Please send questions to [email protected]
First you need to add KPA Flex to your Okta account as an application. Go to your Applications tab and press “Add Application”:
Then press “Create New App”:
Choose “OpenID Connect” and press Create:
Enter the following settings:
In Okta, under the “General” tab for the new “KPA Flex” application (the one you just created), you’ll find a “Client Credentials” section. Here you’ll find the Client ID and Client secret:
We also need your Okta subdomain. Click on the “Sign On” tab for the KPA Flex application and scroll down to the “OpenID Connect ID Token” section. The “Issuer” field will tell you your subdomain.
In this example, the Issuer is https://iscout.okta.com, so the subdomain is “iscout”.
This information is sensitive, so find a secure way to send KPA Flex the following information. For example, gmail has a “confidential mode” that would be sufficient.
The info you need to send should have this format:
{ "authorizationURL": "https://**********.okta.com/oauth2/v1/authorize", "tokenURL": "https://**********.okta.com/oauth2/v1/token", "clientID": "********************", "clientSecret": "****************************************" }
So, for example, this would be a realistic setup:
{ "authorizationURL": "https://mycompany.okta.com/oauth2/v1/authorize", "tokenURL": "https://mycompany.okta.com/oauth2/v1/token", "clientID": "Xa1v1wf33c7LzKvCfake", "clientSecret": "xfXinXklT6BSllnLlsij39O8tBd0uItTQKwffake" }
Once the KPA Flex team receives your credentials, we will enable the SSO button on your login page to begin testing.
Once testing has been complete, we can continue to allow username/password login, or we can remove the username/passwords field and require SSO for your employees.