Author: San
Home Articles Posted by San
Technology

How to Configure Okta as an External Identity Provider for PlainID SSO: A Complete Beginner’s Guide

In this guide, you’ll learn how to integrate Okta as an external identity provider (IdP) for PlainID, enabling seamless Single Sign-On (SSO) for your applications via OIDC (OpenID Connect). We’ll start from scratch, including creating an Okta developer account, setting up apps, configuring PlainID tenant settings, resolving common errors, and managing users, with detailed steps and explanations. 

Prerequisites

Before we start, ensure you have: 

  • A valid PlainID tenant (e.g., <company>.us1.plainid.io) 
  • A PlainID admin account  
  • Basic familiarity with SSO/IdP concepts helps, but is not required, this guide explains it all. 
Step 1: Create an Okta Developer Account

Visit https://developer.okta.com/signup/ to create an account. 

You’ll be presented with three account types: 

Choose the Developer Account. This version is free and allows us to test OIDC integrations like we’ll do with PlainID. 

Step 2: Create a Web Application in Okta
  1. Go to ApplicationsCreate App Integration 

2.  Select:

  • Sign-in method: OIDC – OpenID Connect
  • Application type: Web Application
  • Click “Next”

3.  Set Web App Integration Settings: 

  • App Name: PlainID SSO (Or any name you deem appropriate) 
  • Grant type: Check Authorization Code 
  • Sign-in redirect URI: Leave this blank for now. 
  • Sign-out redirect URI: Leave blank for now. 
  • Click Save to Generate 
Step 3: Configure Sign-in and Sign-out Redirect URIs in Okta:

After saving your app: 

  • Scroll to the Login section under your app’s General settings 
  • Click Edit 

Copy the Sign-in Redirect URI from your PlainID tenant (Read warning before this implementation): 

  • Login to PlainID 
  • Click the gear icon on the top-right > Settings 
  • Go to Tenant IDP Settings 
  • Set IDP Source to External IdP 

⚠️ Important Warning: 

If you switch to External IDP without a working redirect URI or admin access recovery plan, you may get locked out permanently. Always test with a second “backdoor” admin account configured for internal login before switching. 

Paste this in the Sign-in Redirect URI in Okta.

  • Set Login initiated by to: App only 
Step 4: Configure the Sign-Out URL

Why This Is Important: 

When users log out of PlainID, the logout request is sent to Okta. Okta needs to know where to redirect users after logging out. If this isn’t configured correctly, users will get stuck with a 400 error like: 

Error: The ‘post_logout_redirect_uri’ parameter must be a Logout redirect URI in the client app settings 

How to Fix It: 

  1. Go to your Okta developer portal 
  2. Navigate to your application (e.g., “PlainID SSO”) 
  3. Click the General tab 
  4. Scroll down to the Login section 
  5. Click Edit 
  6. In the Sign-out redirect URIs, add the following: 

https://auth.us1.plainid.io/auth/realms/<PlainID-Company-Name>/broker/tenant_idp/endpoint/logout_response 

(Replace <PlainID-Company-Name> with your actual PlainID Company Name. The company name will be present in your PlainID url, e.g., https://trustaxisinc.us1.plainid.io, here “trustaxisinc” is the company name) 

7.  Save the changes 

8. Confirm Logout Is Working 

After doing this: 

  • When users log out of PlainID, they will be securely redirected through Okta and returned cleanly without a 400 error. 
Step 5: Disable Federation Broker Mode (Optional but Recommended)

What Is It? 

Federation Broker Mode allows Okta to automatically assign users to apps based on their identity from external identity providers, but in this flow, you’re not assigning users explicitly because PlainID controls access. 

Problem: 

If Federation Broker Mode is enabled and you don’t assign users directly to the Okta app, users will get: 

You are not allowed to access this app. To request access, contact an admin. 

Fix: 

  1. Go to OktaApplications 
  2. Open the PlainID SSO app 
  3. Scroll to the bottom 
  4. Click the Edit button (top-right of the section) 
  5. Disable Federation Broker Mode 

This ensures Okta properly respects your OIDC flow via the PlainID side. 

After doing so, you can go to Assignments Tab in Application settings and add users to the app manually. 

Step 6: Configure PlainID

Log into PlainID → Go to Tenant Settings → General Details & IDP Application Settings 

  1. Scroll to the section titled General Details 
  2. Find the field labeled Metadata URL 

In Okta, your Metadata URL is: 

https://<your-domain>/oauth2/default/.well-known/openid-configuration
 

(Replace <your-domain> with your actual Okta tenant domain, e.g., dev-66666666.okta.com) 

3.  Paste this Metadata URL into the field in PlainID 

4.  Click the Import button next to it 

What Happens After Clicking “Import” 

PlainID will automatically fetch and populate the following fields using the Metadata URL: 

  • Authorization URL 
  • Token URL 
  • Logout URL 
  • JWKS URL 
  • Issuer 

This avoids manual entry errors and ensures consistency with your Okta configuration. 

Also Complete the Following: 

Field  Value 
Claim Name  admin 
Claim Value  true 

This claim determines which users are granted admin access in PlainID. 

Step 7: Create Admin Claim in Okta

Go to your Okta Security → API → Authorization Servers → default → Claims: 

  1. Click Add Claim 
  2. Name: admin 
  3. Value type: Expression 
  4. Value: true 
  5. Token type: ID Token 
  6. Scope: Any 
  7. Include in token: Always 
Common Errors and Fixes

Error: “400 Bad Request – Policy Evaluation Failed” 

Fix: Ensure the correct Authentication Policy is attached to the app, and it allows federated IdP access. 

 

Error: “You are not allowed to access this app” 

Fix: You are likely not assigned to the application in Okta. Go to: 

  • User Profile → Applications → Assign Applications → select your app 

Note: If Federation Broker Mode is enabled, direct assignment might not be needed, but you still need proper token claims. 

 

Error: “Post_logout_redirect_uri must be in app settings” 

Fix: Go to the Okta app → General Settings and add the PlainID logout URL (or home URL) to Sign-out redirect URIs. 

Examples: 

  • https://auth.us1.plainid.io/auth/realms/<PlainID-Company-Name>/broker/tenant_idp/endpoint/logout_response 
Step 8: Testing SSO Login and Logout

Visit: 

https://<company>.us1.plainid.io 

This should redirect you to Okta, authenticate you, and return you to PlainID logged in. 

For logout, ensure the logout flow uses the same Okta URLs you’ve added to the sign-out redirect URIs.

Step 9: Adding New Users in Okta
  1. Go to Directory → People → Add Person 
  2. Enter user details and ensure: 
  • The user has the claim admin=true if you want them to access PlainID admin 
  • The user can authenticate using configured method (password or MFA) 

Users will log in using the same flow, redirect from PlainID to Okta. 

Final Checklist

 

Task  Status 
Okta Developer account created   
Web app created using OIDC   
PlainID configured with Okta metadata URLs   
ID Token Claim admin=true configured   
Authentication policy created and applied (Optional)  
Redirect URIs and logout URIs set   
Successfully authenticated into PlainID 
Conclusion

By following this guide, you’ve fully integrated Okta as an external IdP for PlainID using OIDC. This guide solves login and logout errors, explains how to assign users and access rights, and ensures you’re ready for production-level federation. 

This setup is perfect for enterprises moving towards policy-based access control (PBAC), with centralized identity and access governance. 

Keywords:

PlainID Okta Integration, Okta as External IdP, SSO Federation Setup, OpenID Connect PlainID, Okta Identity Provider Guide 

Read More
0 Comments