Appendix: Example of Identity Provider Configuration

This appendix includes an example of how to configure an Okta OIDC identity provider for OneStream IdentityServer (OIS). Depending on the identity provider and version, the steps you need to complete might be different.

To manage identity providers, you must:

By default, the system configuration is enabled for the feature to manage identity providers. If you need support with the system configuration, submit a Support ticket.

Okta OIDC Identity Provider

The following sections show how to create an Okta application and copy the redirect URI from the OneStream Identity & Access Management Portal and paste it in the Okta application.

Create an Okta Application

As you complete the steps in this section, you will copy the following information and paste it in the Identity & Access Management Portal:

  • Okta server URL

  • App integration name

  • Client ID

  • Client secret

See Add an OIDC Identity Provider.

  1. Copy the Okta server URL (for example: https://companyname.okta.com). Paste this URL in the Identity & Access Management Portal in the Issuer URL field.

  2. Sign in to Okta and go to Applications > Applications.

  3. Click the Create App Integration button.

    The Okta Applications screen has a navigation pane on the left and a row of buttons to select at the top of the screen. This example highlights the Applications menu and Applications selection in the navigation pane. It also highlights the Create App Integration button, which is blue with white text.

  4. A Create a new app integration dialog box displays.

    1. For Sign-in method, select OIDC - OpenID Connect.

    2. For Application type, select Web Application.

    The Create a new app integration dialog box has sections listed to the left with a list of options to the right with radio buttons that can be selected or cleared. This example highlights the OIDC – OpenID Connect option for Sign-in method and Web Application for Application type.

  5. Click the Next button.

  6. The New Web App Integration page displays.

    1. Enter an App integration name in the field. Copy and paste this name in the Identity & Access Management Portal in the Name field.

    2. For Grant type > Client acting on behalf of a user, verify that Authorization Code is selected.

    3. For Assignments, select Skip group assignment for now.

    4. Click the Save button.

    The New Web App Integration dialog box has sections listed to the left with a list of fields and options to the right with radio buttons that can be selected or cleared. This example highlights the App integration name field, the Grant type client acting on behalf of a user with Authorization Code selected, the Assignments with Skip group assignment for now selected, and the Save button.

    ""

  7. The application opens on a new page.

    1. For Client Credentials > Client ID, click the Copy to clipboard icon. Paste it in the Identity & Access Management Portal in the Client ID field.

    2. For CLIENT SECRETS, click the Copy to clipboard icon. Paste it in the Identity & Access Management Portal in the Client Secret field.

    The application screen has a row of tabs that can be selected at the top of the screen. In the General tab, this example highlights the Client ID and CLIENT SECRETS options to Copy to clipboard.

    ""

  8. Select the Assignments tab and assign the application to any users who will use OneStream.

After you create the Okta application, go to the OneStream Identity & Access Management Portal and add the identity provider. See Add an OIDC Identity Provider.

Paste the Redirect URI in the Okta Application

After you add the identity provider in the Identity & Access Management Portal, you must copy the redirect URI from OneStream and paste it in the Okta application.

  1. Copy the redirect URI from the Identity & Access Management Portal in OneStream. See Add an OIDC Identity Provider.

  2. Sign in to Okta and go to Applications > Applications and select your identity provider.

    The Okta Applications screen has a navigation pane on the left and a row of buttons to select at the top of the screen. This example highlights the Applications menu and Applications selection in the navigation pane. It also highlights the identity provider that was just created, which is listed on the screen with blue text that is a link that can be selected.

  3. Go to General Settings and click Edit.

    The General Settings screen has sections listed to the left with a list of options to the right with radio buttons that can be selected or cleared. This example highlights the Edit link in the upper right that is in blue text. It is a link that can be selected.

  4. Go to LOGIN > Sign-in redirect URIs and paste the redirect URI in the field.

  5. Click the Save button.

    The LOGIN screen has sections listed to the left with a list of fields and options to the right with radio buttons that can be selected or cleared. This example highlights the Sign-in redirect URIs field and the Save button.

After you paste the redirect URI in the Okta application, go to the OneStream Identity & Access Management Portal and test the identity provider. See Test an OIDC Identity Provider.

Then, configure users for authentication in OneStream. See How Users are Configured for Authentication.