Skip to main content

Okta OIDC integration

Multi-Factor Authentication (MFA) is an extra layer of security used when logging into websites or apps. Individuals are authenticated through more than one required security and validation procedure that only they know or have access to.

OIDC (OpenID Connect) is an open standard protocol that provides a way to authenticate and authorize access to applications without giving the application your login credentials.

Arculix by SecureAuth, offers a simple method for adding single sign-on (SSO) MFA to Okta with its OIDC solution.


  • Configured Arculix instance and user account with administrative privileges for Arculix.

  • Configured Arculix LDAP Agent.

    For more information, see the Arculix LDAP Agent deployment guide.

  • User account with administrative privileges for Okta.

Add OIDC application in Arculix

In this section, you'll configure Arculix to act as an OIDC Provider to authenticate the user and grant access to Okta.

  1. Log in to Arculix with an administrative account and go to Applications.

  2. Click Create New Application.

    Create new application
  3. In the New Application form, on the General tab, set the following configurations:


    Set the name of the application. This is the name to display for push notifications, in the Admin panel, Application portal, and audit logs.

    For example, Okta-OIDC.


    Set to OpenID Connect Relying Party Application [oidc_client].

    Out of Band Methods 

    Select the allowed methods end users can choose to approve MFA requests.

    For example, Arculix Mobile app (push notifications), SMS, or Security Key.

    Message for MFA Requests 

    Optional. Type a message displayed to end users when sending an MFA request via push notification, SMS, or email.

  4. Select the OIDC Configuration tab, and set the following configurations:


    Login URL 

    Optional. Enter the login URL for your Okta instance.

    Redirect URLs

    Enter the redirect URL (Redirect_uri) that Arculix will use to send back the authorization code.

    You can register more than one redirect URL (Redirect_uri).

    For Okta it should be:

    Client Settings 


    Application Type 

    Set to Web application.

    Grant Type 

    Set to Authorization code – User logs in to the application, then the application redirects the flow to Arculix for authentication. After authentication, Arculix returns an authorization code to the application, then exchanges the code for an access token and an identity token.

    Authentication Method 

    Set to Post – Authenticates using the HTTP POST method, also known as the forms post response mode.

    Scopes and Claims 


    Select the following scopes:

    • profile – Allow access to user's profile information like postal address and phone number.

    • email – Allow access to user's email address.


    Access Token Timeout 

    Set how long the access token is valid for before it times out. By default this set to 1 minute.

    Refresh Token Timeout 

    Set how long the refresh token is valid for before it times out and requires the user to reauthenticate. By default this is set to 1 day.

  5. Save your changes.

  6. Edit the configured OIDC application and select the Advanced tab.

  7. Copy the UID and Secret values.

    You will need these for the Okta configuration.


Okta configuration

In this section, you will configure the Okta application that supports OIDC.

  1. Log in to Okta with an administrator account.

  2. In the left navigation, go to Identity Providers, select Add Identity Provider then click OpenID Connect.

  3. Set the following configurations.

    General Settings


    Enter a name for the OIDC application.

    IdP Usage

    Set to SSO only.


    Set to the same scopes that you selected earlier in the Arculix OIDC application.

    For example, set to email, openid, and profile.

    Redirect Domain

    Set to Dynamic (based on request domain).

    Client Details

    Client ID

    Paste the UID value copied from Okta OIDC application in Arculix.

    Authentication type

    Select Client Secret.

    Client Secret

    Paste the Secret value copied from the Okta OIDC application in Arculix.

    Authorize requests

    Select or clear the Enabled signed requests check box.

    Proof key for code exchange (PKCE)

    Select the Require PKCE as additional verification check box.

  4. In a browser, open the well-known endpoint URL in this format:<organization>/oauth2/v1/.well-known/openid-configuration

    The Endpoints page appears with the following URLs:



    The URL identifying the issuer of this endpoint.

    For example,{organization}/oauth2/v1/

    Authorization endpoint

    The authorization endpoint URL.

    For example,{organization}/oauth2/v1/auth.

    Token endpoint

    The token endpoint URL.

    For example,{organization}/oauth2/v1/token.

    JWKS endpoint

    The JSON Web Key Set (JWKS) endpoint URL. This validates the the JWT tokens using JWKS for this tenant.

    For example,{organization}/oauth2/v1/jwks.

  5. On the Identity Providers page, select the Routing rules tab and click Add Routing Rule.

  6. Add a rule to enable Arculix OIDC in the login page.

  7. Save your changes.

Test your OIDC application integration

  1. Go to the login URL for your Okta application.

  2. Click Sign in with Arculix.

  3. You will be redirected to the Arculix SSO page.

    Application login page with QR code
  4. After successful authentication, select your preferred MFA method to approve access to the Okta application.

    Select MFA method
  5. You'll be redirected to the Okta dashboard home page.


If you have questions or need assistance, contact SecureAuth Support.


Want to learn more about our MFA solutions? Contact our Professional Services for a demo today.


All product names, trademarks, and registered trademarks are the property of their respective owners.

All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the SecureAuth Corporation.