Okta

Step 1: Create the app integration

1. In the Okta Admin Console (opens in a new tab), go to Applications > Applications and click Create App Integration.
2. Select OIDC - OpenID Connect, then Web Application, and click Next.
3. Give the app a name (for example, "Sema4.ai Agents").
4. Under Grant type, ensure Authorization Code is selected.
5. Set the Sign-in redirect URI to https://<YOUR_HOSTNAME>/oidc/login/callback. You don't need a sign-out redirect URI.
6. Under Assignments, choose who can access the app (see Step 4), then Save.

Step 2: Capture the credentials

On the application's General tab:

• Copy the Client ID (your Client ID → oidcClientId).
• Copy the Client secret (your Client Secret → oidcClientSecret).

Step 3: Get the Discovery URL

Your Discovery URL (→ oidcServer) is Okta's OpenID configuration endpoint:

• Org authorization server: https://<YOUR_OKTA_DOMAIN>/.well-known/openid-configuration
• Or a custom authorization server: https://<YOUR_OKTA_DOMAIN>/oauth2/<authServerId>/.well-known/openid-configuration (for example /oauth2/default)

Use the org authorization server URL unless your organization standardizes on a custom authorization server. See Okta's authorization servers guide (opens in a new tab).

Step 4: Restrict who can sign in

Okta controls access through the application's Assignments. Assign only the people or groups who should be able to sign in (or assign everyone in the org). Users who aren't assigned can't sign in.

Step 5: Finalize

You now have the three values from the table at the top of this page:

• Discovery URL (oidcServer)
• Client ID (oidcClientId)
• Client Secret (oidcClientSecret)

Put these in your deployment's values file when you install the application.