Skip to content

Configuring Okta integration with Venafi as a Service

If Okta is your SSO solution, this topic shows you how to configure Okta to integrate with Venafi as a Service™ (VaaS).


Because you'll be making changes in both the Okta Admin portal and VaaS, you'll complete the configuration faster if you open both user interfaces side-by-side.

You'll perform three basic tasks:

  1. Configuring Okta to work with VaaS
  2. Testing the connection between VaaS and Okta
  3. Adding a Groups claim (Optional)
Configuring Okta to work with VaaS
  1. Open the Okta Admin portal and create a new application. Select Web as the platform and choose OpenID Connect as the sign-on method.

  2. In General Settings, type VaaS as the application name.

  3. (Optional) Upload this logo file if you plan on making the application visible to users on the Okta portal page:

VaaS logo

  1. Under Configure OpenID Connect, fill in the Login redirect URIs field with the log in URL from the VaaS SSO configuration page.
  2. Save the new application.
  3. (Optional) If you want to publish the VaaS application on the Okta portal, do the following:
  4. Set Login initiated by to Either Okta or App.
  5. Under Application visibility, select Display application icon to users.
  6. Leave Login flow as OIDC Compliant.
  7. Set Initiate login URI to the SSO Login URL.

  8. In Client Credentials, copy the Client ID and Client Secret values and paste them into the VaaS SSO Configuration page.

  9. Click the Sign On tab of the VaaS application.
  10. Under OpenID Connect ID Token, copy the Issuer value and paste it into the Issuer field of the VaaS SSO Configuration page.

You are now done configuring the VaaS application in Okta.

The next step is to test your connection.

Testing the connection between VaaS and Okta
  1. From the VaaS SSO Configuration page, click Test connection.

  2. Type your enterprise credentials into Okta.

    When the authentication succeeds, you're redirected back to the VaaS SSO Configuration page. From there, you can view the claims that were returned in the OIDC token issued by Okta. 1. Save your SSO configuration.

Your users can now sign in using their SSO credentials.

Adding a Groups claim (Optional)

Adding a Groups claim in Okta allows group membership information to be sent to VaaS. While VaaS doesn't yet utilize group membership information, upcoming releases of VaaS include new features and functionality that will improve the way you define and manage users and groups. Of course, it's up to you!

To configure a Groups claim for sending group information to VaaS

  1. In the Okta Admin portal, click the Sign On tab for the VaaS application you created earlier.

  2. Configure Groups claim type with either Filter or Expression, depending on how you have your user groups configured in Okta.


    It's a good idea to consult your Okta documentation and configure the Groups claim to return all groups to which a user is a member (both locally in Okta, as well as any Active Directory mastered groups, when applicable). Refer to this Okta KB article.

  3. In VaaS, from the VaaS SSO Configuration page, under Scopes, add the groups scope so that VaaS will request the Groups claim.